Deeper Than the Headlines: Compliance During a Data Breach

When compliance officers hear of healthcare organization settlements associated with compliance problems, they’re typically hearing of settlements engineered by a government agency such as the U.S. Department of Justice or the HHS Office for Civil Rights.

But more and more we’re hearing of settlements involving shareholders and/or class-action type lawsuits. One of the most recent, a $115 million settlement between Anthem and the victims of Anthem’s data breach, is believed to be the largest settlement regarding a data breach. The data breach itself, a result of hacking in 2015, was one of the largest and involved data for nearly 79 million people and  included names, birthdays, medical IDs, social security numbers, street addresses, email addresses and employment information, including income data.

This amount doesn’t include what Anthem had already spent on credit monitoring services it previously provided customers. Additionally, Anthem’s website describes their offering of credit freezes for individuals who were children at the time.  This, too, costs the organization time and money.

From Anthem’s website:

“There’s no proof that anyone’s information was misused, but we want you to have extra peace of mind. We’re offering a special program to pay for a credit freeze for your child. Or, if you were a child affected by the cyber attack but are now an adult as of February 24, 2017, we want to make sure you know about a new adult credit freeze reimbursement offer. This program is an added layer of security for their information.”

The Anthem website also provides some further details and insights into the settlement agreement. Read more here

For example, “When Anthem discovered the cyber attack in 2015, the company offered two years of credit monitoring and identity protection services to all individuals whose data may have been impacted. As part of this final resolution of the litigation, class members can receive an additional two years of credit monitoring and identity protection services, along with other significant benefits.”

In addition, “Anthem has agreed that $15 million of the fund will be allocated to pay actual out-of-pocket costs, up to a set amount, that class members claim they incurred due to the cyber attack. Class members who already have credit services can submit a claim to receive alternative cash compensation instead of receiving the credit services provided by the settlement.”

Undoubtedly, there will be ongoing costs as well, such as enhanced information security programs.  Again, from the website Anthem states, “as part of the settlement, Anthem has agreed to continue the significant information security practice changes that we undertook in the wake of the cyber attack, and we have agreed to implement additional protections over the next three years.”

Compliance Officers, as well as Information Security professionals, can learn some practical ideas for setting up a website in anticipation of a potential breach your organization might face.  The FAQ’s point out some of the things your organization should be prepared to answer if your organization is unfortunate enough to suffer a breach.   
Some of these FAQs include:

“How can I find out if my information was compromised?”

“Who is responsible for this cyber attack or breach?”

“Has the FBI released any details as a result of their investigation?”

“If I choose to purchase credit monitoring and repair services effective immediately, will Anthem reimburse me?”

The settlement still has to be approved by the judge presiding over the litigation but much can be learned from this nightmare.