Anthem Data-Breach Settlement Sets Tone for Privacy Enforcement

An October 16, 2018, article in Bloomberg Law’s Health Law & Business, “Anthem Data-Breach Settlement Sets Tone for Privacy Enforcement”, discussed Anthem, Inc.’s recent $16 million data breach settlement with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). The 2015 breach compromised the personal information of about 79 million people. Rivkin Radler partner Eric Fader was quoted in the article.

Eric pointed out that Anthem’s size and perceived ability to pay were undoubtedly major factors in the size of the settlement. Most important, he observed, was the OCR’s determination that Anthem had failed to conduct an enterprise-wide risk analysis and implement other preventive procedures. “Unfortunately, data breaches are inevitable due to human error even when an entity has done virtually everything properly on an organizational level, but the size of this settlement sends a clear message that inattention to necessary preventive measures is a separate offense that will not be tolerated,” Eric said.

Before the OCR’s recent six-month hiatus between settlement announcements, the $3.5 million settlement with Fresenius Medical Care North America in February of this year had focused on the failure to conduct a thorough risk analysis and to implement proper policies and procedures, and the Anthem settlement should serve to hammer home that point, Eric said. The Fresenius breach involved the protected health information of fewer than 200,000 patients. “I don’t think we’ll see breaches on the Anthem scale, involving tens of millions of people’s protected health information, [very often,]” Eric speculated, “but it seems fair to hold these huge companies to at least the same standards, if not higher standards, and subject them to proportionate penalties.”