Several weeks ago, up to 80 million Anthem customers and employees were alerted that their personal information — including names, birthdays, medical IDs/Social Security numbers, street addresses, email addresses and employment information — might have been compromised in a major data breach.
Today, the Indianapolis-based insurance giant faces a fine up to $1.5 million for the breach under The United States Department of Health and Human Services rules. The breach at Anthem, which impacted individuals in 14 Anthem plans plus millions more enrolled in up to 42 non-Anthem Blue plans — is likely the largest health care related breach to date.
With eyes on the health insurer, news has also surfaced that back in 2010, Anthem, which then operated under the name WellPoint, was hit with a $1.7 million fee for a computer breach that compromised the personal information of approximately 612,000 people.
The fine was imposed by the U.S. Department of Health and Human Services under HIPPA, the 1996 Health Insurance Portability and Accountability Act, which oversees the confidentiality and security of medical information.
According to the HHS investigation, WellPoint failed to implement policies and procedures to protect unsecured health information covered by HIPAA in 2009 and 2010. The company failed to perform an adequate technical evaluation in response to a software upgrade and did not implement technology to verify that a person or entity seeking access to the company's systems was the one claimed, among other violations.
Multiple violations are, in part, responsible for why Anthem (or WellPoint) was slapped with a $1.7 million fine back in 2010. Today, Anthem faces up to $1.5 million, despite so many more people being impacted this time around, because of some recent changes in rules and maximum fine limits. Namely, today's HIPAA violations have a maximum penalty of $50,000 per violation, with an annual maximum of $1.5 million.
According to Modern Healthcare, “the primary regulatory liability for companies involved in a breach is the potential for multiple violations of HIPAA. It was revised by Congress in 2009 by amendments in HITECH provisions of the American Recovery and Reinvestment Act, a federal stimulus. A 2013 'omnibus' privacy and security rule fleshed out those legislative changes."
Modern Healthcare goes on to explain that before the HITECH Act, a covered entity had X, Y and Z obligations for privacy and security, but there were not direct obligations on their business associates: “They (covered entities) entered into business associate agreements that laid out what their legal obligations were and they typically laid their (HIPAA) obligations onto the business associate."
Now, with HITECH, legal obligations are applied to the business associates, according to Modern Healthcare. Furthermore, HITECH enforced potential civil penalty limits for HIPAA violations to a maximum of $1.5 million a year — all of which helps explain why Anthem's fine this year is lower than five years ago.
Rachel Seeger, a spokesperson for the HHS Office for Civil Rights, wrote in an emailed statement to LifeLock, “the HHS Office for Civil Rights is looking into the recent Anthem data breach."
“With respect to this incident, HHS has not imposed a civil penalty on, or entered into a resolution agreement requiring the payment of a resolution amount with, Anthem," Seeger added.