Reprinted from HEALTH PLAN WEEK, the most reliable source of
objective business, financial and regulatory news of the health insurance
industry.
By Diana
Manos, Senior Reporter
July 3, 2017 Volume 27 Issue 23
Two years after Anthem Inc., the largest health insurer in the
country, announced a breach of personal health information (PHI) affecting
nearly 80 million of its beneficiaries, the attorneys for those breached have
come to an agreement with the insurer. The settlement is a good reminder that
health plans can no longer assume the status quo will work for protecting
patient records, attorneys and cybersecurity consultants say. Neither should
they become apathetic because of the difficulty of cybersecurity in today’s
rapidly changing technology world.
The 54-page, $115 million settlement agreement is pending Aug. 17
preliminary approval by Northern District of California Judge Lucy Koh. More
than 100 lawsuits were filed against Anthem across the country over the past
two years, and the cases were consolidated for the settlement, according to
Andrew Friedman, a partner of Cohen Milstein Sellers & Toll PLLC and
co-lead for the plaintiffs’ counsel.
The takeaway is simple, Friedman tells AIS Health. “I think people
more and more will look to those companies that they buy products from to
protect them from this kind of thing happening,” he said. “It’s no longer
business as usual.”
Some $15 million of the $115 million settlement fund will be
applied to relieve plaintiffs of the costs incurred by the breaches, according
to Friedman, who says the plaintiffs’ counsel are satisfied this amount will
suffice. In addition, Anthem will be required to meet certain undisclosed IT
security standards and will provide the breached customers with two years of
credit monitoring.
Anthem has already been providing credit monitoring since the
breach, so if the settlement is approved, the beneficiaries with breached
records will receive a total of four years of credit monitoring.
Settlement Would Audit Anthem’s IT
Friedman says the settlement calls for tangible proof that Anthem
has upped its game and is maintaining top-level IT security for the next three
years. The technical requirements for Anthem under the agreement were drawn up
with the help of IT experts, he says, and they “are filed under seal,”
intentionally, so as to prevent potential hackers from knowing its security
strategies.
Independent consultants will annually conduct an IT risk
assessment of Anthem for the next three years and report back to the
plaintiffs’ counsel, Friedman says. The reason the agreement doesn’t include
requirements beyond three years is that technology changes too quickly from
year to year and the plaintiffs’ counsel wanted the requirements to be specific
and trackable. They also are assuming that after three years, Anthem will be
incentivized to keep their security strategy at a high level.
According to the Oct. 19, 2015, complaint, Anthem failed to limit
access to PHI to those on a “need-to-know” basis and “failed to allocate the
resources necessary to maintaining the confidentiality of this information,”
among other things.
Geraldine Rodriguez, a spokesperson for the insurer, says Anthem
believes the proposed settlement will “completely resolve” the breach
litigation.
The insurer “is not admitting any wrongdoing or that any
individuals were harmed as a result of the cyber attack,” Rodriguez says.
“There is no evidence
that any data impacted by the cyber attack has ever been sold or used to commit
fraud,” according to Rodriguez.
But that’s not what the Anthem members who were breached say. A
Feb. 24 complaint reports they “have been repeatedly harmed.” The complaint
lists fake tax returns filed, bank accounts drained and credit cards or
fraudulent loans taken out in their names. “Affected individuals must worry
about being victimized throughout the rest of their lives,” the complaint says.
Cybersecurity Is Tough for Health Care
Robert Lord, co-founder and CEO of Protenus, a health data
security platform company, says cybersecurity is especially hard in the health
care industry. “It’s easy to blame health care, but we have a level of
complexity to manage on that front,” Lord says. “We also require a level of
openness for treating patients that is incompatible with a heavily locked-down
framework.”
Health plans are particularly vulnerable targets because they have
large amounts of data and their records include not only information from
medical records but also claims data. “When you have someone’s medical history,
you really almost own that person completely,” Lord says. “It’s quite a
terrifying scenario.”
Today’s cybersecurity threats require the use of artificial
intelligence and machine learning to help human IT teams find the risks. He
advises employing advanced methods simultaneously to protect records.
With the advanced level of threats out there, IT teams are
challenged at most health plans to provide the security needed under
constrained resources, Lord says. He urges boards of directors to focus on
upgrading IT training. Without this, the job is becoming “nearly impossible to
do right.”
Read the entire proposed settlement agreement at http://bit.ly/2uj0HIl.
https://aishealth.com/archive/nhpw070317-05?utm_source=Real%20Magnet&utm_medium=email&utm_campaign=116736680
No comments:
Post a Comment