The cyber attack and data breach at Anthem – reported on February 4 - has already spawned lawsuits in at least four states. It is reported that the breach – caused by unknown hackers – affected as many as 80 million records of customers and employees.
Anthem says that the hackers took names, birthdays, medical IDs, social security numbers, street addresses, email addresses and employment information, including income data. Anthem says there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
Anthem says it will individually notify current and former members whose information has been accessed, and will provide credit monitoring and identity protection services free of charge.
According to the Los Angeles Times, the hackers gained access to the Anthem system by commandeering the credentials of five tech workers, one of whom discovered on January 27 that outsiders were using his credentials. Apparently the data was not encrypted. Anthem says it has retained a cyber-security firm to evaluate its systems and identify solutions based on the evolving landscape.
In a February 6 press release, Anthem warned of scam “phishing” email campaigns targeting Anthem members, but said that there is no evidence that the campaigns were being carried out by the people responsible for the cyberattack. Anthem says it will contact members about the cyber attack via U.S. mail.
The National Association of Insurance Commissioners announced that its members have called for an immediate and comprehensive review of Anthem’s security to ensure protection of consumers. Some press coverage suggests that the breach is not affected by HIPAA, because medical information was not compromised. The HHS Office for Civil Rights might differ – it is on record that a health insurance card meets the definition of protected health information, and must be safeguarded. It might take the same view of demographic information on a health insurer’s computer.
Private plaintiffs have wasted no time. USA Today reports that lawsuits have been filed in Indiana, California, Alabama and Georgia. A California lawsuit, Liu vs. Anthem, Inc., U.S. District Court, Central District of California, Case No. 8:15-cv-00215, filed February 6, is a putative national class action (with a California subclass) that alleges a failure to encrypt member information, and a failure to give immediate notification to affected members. The complaint alleges that the failure to encrypt constituted negligence, negligence per se (because it violated the security standards of the Gramm-Leach-Bliley Act and HIPAA), breach of an implied contract to keep the data safe and to provide prompt notice of breaches, violation of Indiana and California unfair business practice laws, and violation of California’s consumer data breach notification and medical information confidentiality laws; and that it resulted in Anthem’s unjust enrichment (because Anthem should have spent more of its subscribers’ premium on data security).
Much of the discussion about the incident centers on Anthem’s apparent failure to encrypt member information. HIPAA does not mandate encryption of stored data: under the HIPAA Security Rule it is an “addressable” means of access control, meaning that a covered entity must assess whether it is appropriate, and implement it if it is or, if it is not, implement an alternative measure that is appropriate. In a system like the Internet, which has no other access controls, there may be few effective substitutes. In a closed system, however, many organizations control access by other methods – typically a user name and password.
The debate that this incident has sparked may have an effect on industry practices. It seems possible, however, that encryption would not have been effective in this case, because the hackers evidently obtained the credentials of users who would likely have had access to the data even if it had been encrypted. While encryption is an obvious choice for Internet communications, the Security Rule leaves room for other considerations when data is stored on a server.
The state courts in California have been unreceptive to class action suits for data breaches without evidence of harm. In one case, involving the theft of a hospital patient list containing the names, ages, dates of birth, partial social security numbers and medical record numbers of more than 500,000 persons, the Court of Appeal held that demographic information of this kind was not “medical information” under California’s Confidentiality of Medical Information Act. In another matter, the court dismissed a case against a hospital system that lost a desk-top computer containing four million patient records to a break-in theft. The computer was password-protected, but not encrypted. The court held that there was no violation of California’s Confidentiality of Medical Information Act without proof that an unauthorized person had had access to the information.
This reluctance by the California courts may be due in part to the escalating nominal damages where large numbers of records are breached. According to the complaint in the Liu case, Indiana’s consumer protection law allows an action for damages actually suffered, or $500, whichever is greater. The California law allows nominal damages of $1,000 for negligently permitting unauthorized access to medical information. If other states have similar laws, and if the courts allow recovery without proof of actual harm, the damages could be significant, even for the second-largest health insurer in the country.
Hooper, Lundy & Bookman provides a range of legal services relating to health information technology, including procurement, licensing, compliance and health information privacy and security. For more information, please contact: In San Francisco, Paul Smith, Steve Phillips or Clark Stanton at 415.875.8500; in Los Angeles, Hope Levy-Biehl or Amy Joseph at 310.551.8111; and in Washington, D.C., Bill Eck or Alex Brill at 202.580.7700.
A previous version of this summary was published by the American Health Lawyers Association. Copyright 2015.