Corporate Counsel Weekly™ helps corporate lawyers get the big picture on the legal challenges facing corporations today. Practitioners can discover trends on the horizon and stay alert to the full...
By Alex Ruoff
Feb. 5 — Health care insurer Anthem Inc. will likely suffer damage to its reputation and faces potential lawsuits from a cyberattack that resulted in the theft of data from millions of its customers, but the company has little to fear from federal regulators, a health care attorney told Bloomberg BNA Feb. 5.
Only a fraction—less than 2 percent—of companies that experience a breach of consumer information are fined by the Department of Health and Human Services Office for Civil Rights, Kirk Nahra, a partner at the Washington-based law firm of Wiley Rein LLP, told BBNA.
“Most security breaches don't lead to some kind of compliance action,” Nahra said. Anthem is “a big company with a lot of customers so my guess is they'll look pretty good when the government comes to look at their security policies and procedures.”
Anthem, the second biggest U.S. health insurer by market value, announced Feb. 5 that hackers had obtained data on tens of millions of current and former customers and employees in a sophisticated attack.
Anthem has made efforts to close the security vulnerability hackers used to obtain consumers' data, the company said in a Feb. 5 statement. Ten attorney generals are calling on Anthem to immediately provide additional detailed information about the breach, as well as offering identity theft protections.
Anthem was specifically targeted by an “advanced persistent threat (APT) actor” that breached the company's security controls and obtained personal information—including names, birthdays, Social Security numbers, e-mail addresses and employment information—for as many as 80 million Anthem customers, according to the Health Information Trust Alliance (HITRUST), a health care security industry group.
HITRUST is working with Anthem to analyze data from the breach to determine how it occurred and if other health care companies were similarly affected by cyberattack, the group said in a statement.
HITRUST said Anthem has adopted “strong information security controls” and participated in many cybersecurity preparation exercises.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule outlines security requirements for companies that collect and handle health data.
The rule has more than 50 provisions that require companies covered under HIPAA to maintain a range of security policies, from destroying old hardware to encrypting electronic health record systems, Nahra said. The rule doesn't specify exactly how health care organizations must secure patient data, only that certain standards must be met, he said.
“The government doesn't dictate too many specific practices or get into granular detail about what you have to do,” Nahra said. “It gives you a list of things you have to address, but it's intentionally flexible. One of the challenges is that it's hard to know if you've done enough.”
Nahra said most companies that experience a large and public breach of consumer data face civil lawsuits.
Michelle De Mooy, deputy director for the Consumer Privacy Project at the Center for Democracy & Technology, a privacy advocacy organization, told BBNA Feb. 5 that companies should practice “data minimization,” collecting only the most necessary information on consumers and regularly disposing of consumer data.
Because large companies “deal with so much data they need to be aware of the principles attached to good data hygiene, which includes data minimization,” De Mooy said. “It's the idea that you don't need to hold onto vast troves of data and can dispose of the data once you're done using it.”
To contact the reporter on this story: Alex Ruoff in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)