State Attorneys General Secure $10 Million Settlement in Multistate HIPAA Data Breach Lawsuit | Practical Law

State Attorneys General Secure $10 Million Settlement in Multistate HIPAA Data Breach Lawsuit | Practical Law

A Washington-based health insurer and several state attorneys general have reached a $10 million settlement arising from a data breach involving more than ten million individuals' protected health information (PHI). The settlement requires the insurer, a covered entity and business associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to take numerous steps to protect the PHI in its possession.

State Attorneys General Secure $10 Million Settlement in Multistate HIPAA Data Breach Lawsuit

by Practical Law Employee Benefits & Executive Compensation
Published on 16 Jul 2019USA (National/Federal)
A Washington-based health insurer and several state attorneys general have reached a $10 million settlement arising from a data breach involving more than ten million individuals' protected health information (PHI). The settlement requires the insurer, a covered entity and business associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to take numerous steps to protect the PHI in its possession.
A Washington-based health insurer (Premera Blue Cross) and 30 state attorneys general have reached a $10 million settlement in an investigation resulting from a data breach involving the protected health information (PHI) of more than 10 million individuals. In addition to Washington State, other states involved in the investigation have separately sought court consent decrees (see, for example, the filings from Connecticut and Montana).
The settlement requires the insurer to:
  • Pay $10 million to the states ($5.4 million will be paid to Washington State and $4.6 million will be divided among the remaining 29 states).
  • Complete a lengthy list of compliance steps to protect PHI in its possession.

Unauthorized Access to Networks Resulted in Impermissible Disclosure

In March 2015, the insurer, a HIPAA covered entity (CE) and business associate (BA), announced that a hacker had gained unauthorized access to its networks for a ten-month period (see Practice Note, HIPAA Privacy Rule: Entities Subject to Privacy Rule and HIPAA Privacy, Security, and Breach Notification Toolkit). The networks accessed by the hacker included individuals' names, addresses, phone numbers, dates of birth, private health information, Social Security numbers, and bank account information. According to the Washington State Attorney General's complaint, the insurer had been warned by its own internal IT auditors and cybersecurity accessors, in the years preceding the breach, of vulnerabilities in its networks. However, the insurer apparently failed to take adequate remedial action in response. The attorneys general for 30 states filed a class action lawsuit against the insurer for violations of HIPAA and state consumer protection laws.

Settlement Requires Insurer to Comply with HIPAA

The settlement requires the insurer to carry out an expansive set of compliance actions intended to satisfy HIPAA (and other federal and state consumer protection laws). Among other requirements, the Washington State consent decree requires the insurer to:
  • Pay $10 million to the states.
  • Perform a comprehensive review and assessment of its compliance program.
  • Continue having a compliance officer (with experience under HIPAA and related laws) who is responsible for implementing, maintaining, and monitoring the compliance program.
  • Implement a comprehensive information security program designed to safeguard the PHI in its possession. Requirements under the information security program include:
    • monitoring network traffic and log-in attempts;
    • documenting appropriate administrative, technical, and physical safeguards for the CE's PHI and other information (see Practice Note, HIPAA Security Rule);
    • restricting network access to PHI and other personal information (including via smartphones, tablets, and personal laptops) to the extent necessary for employees to perform their job functions;
    • providing annual training for employees who handle PHI (regarding HIPAA compliance training in the group health plan context, see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials); and
    • maintaining and revising, as necessary, a written response plan for security incidents.
  • Hire a chief information security officer who will be responsible for implementing, maintaining, and monitoring the information security program.
  • Designate privacy and security officials who will be responsible for ensuring compliance with HIPAA's Privacy and Security Rules (45 C.F.R. §§ 164.530(a) and 164.308(a)(2); see Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule and HIPAA Privacy, Security, and Breach Notification Toolkit).
  • Map where PHI is located in the insurer's network and perform annual penetration testing of its network.
  • Perform a risk assessment of the risks and vulnerabilities to the PHI in its possession.
  • Implement a risk-assessment program to address any risks or vulnerabilities identified in the risk assessment.
  • For a three-year period, obtain an annual third-party information security assessment and provide the assessment to the Washington State Attorney General's Office.

Practical Impact

This is the second major multistate HIPAA data breach settlement we've reported in as many months, and reflects yet another source of potentially expensive liability for HIPAA CEs and BAs (see Legal Update, State Attorneys General Secure Settlement in First-Ever Multistate HIPAA Data Breach Lawsuit). The compliance obligations required of the insurer under this consent decree are extensive, to say the least – even relative to the typical HHS HIPAA settlement agreement (see Practice Note, HIPAA Enforcement: Settlement Agreements). The insurer will need an entire team of experts/officials to keep ahead of requirements under the decree's compliance and information security programs. Some of the privacy/security officials will have recurring interaction with the insurer's executive leadership concerning privacy/security risks and issues. The decree also addresses relationships involving the insurer's business associates, service providers, and other vendors.
One aspect of the insurer's response to the data breach that was especially troubling to the state attorneys general was its misleading communications to the public about the breach's scope and severity. For example, the insurer's call center representatives informed the public that there was no reason to believe that individuals' personal information had been accessed or misused, despite pre-breach warnings of security vulnerabilities in the insurer's network. These misrepresentations run counter to HIPAA breach notification principles (see Practice Note, HIPAA Breach Notification Rules).