News & Insights


October 23, 2018

Data, Privacy & Security Practice Report – October 23, 2018

Anthem Settles HIPAA Allegations Following Largest Health Data Breach In History For Record $16 Million – On October 15, 2018, the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced a record $16 million settlement with Anthem, Inc., to resolve allegations that Anthem violated certain HIPAA requirements prior to and following a 2015 cyber-attack in which protected health information (“PHI”) of nearly 79 million individuals was stolen from Anthem’s enterprise data warehouse. Prior to the Anthem settlement, the highest OCR settlement was $5.5 million. OCR opened a compliance review of Anthem in February 2015 after news outlets reported that Anthem had experienced a sophisticated external cyber-attack. After an investigation, OCR concluded that, in addition to failing to prevent the impermissible disclosure of PHI, Anthem, as a business associate, failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent unauthorized access to sensitive PHI.

According to Anthem’s breach report to OCR, in January 2015, Anthem discovered that cyber-attackers had gained access to Anthem’s information technology system. Upon further review, Anthem discovered that the cyber-attackers gained access by sending phishing emails to employees of an Anthem subsidiary. At least one employee responded to the malicious emails, exposing the system to further attacks. OCR’s investigation revealed that between December 2, 2014, and January 27, 2015, the cyber-attackers stole the PHI of nearly 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. This constituted the largest health data breach in history.

OCR concluded that Anthem failed to comply with several HIPAA requirements prior to and following the breach, including failure to conduct an enterprise-wide risk analysis, insufficient procedures to regularly review information system activity, failure to identify and respond to suspected or known security incidents, and failure to implement adequate minimum access controls to prevent unauthorized access to sensitive PHI. Notably, Anthem was acting as a business associate rather than a covered entity, providing administrative services to affiliated covered entity health plans.

In the resolution agreement between Anthem and OCR, in addition to its agreement to pay HHS $16 million, Anthem agreed to comply with a corrective action plan (“CAP”). The CAP requires Anthem to conduct a risk analysis; review, revise, and distribute policies and procedures; report certain events to OCR; and submit implementation and annual reports to OCR.

OCR’s press release and the resolution agreement are available on OCR’s website.

Reporter, Igor Gorlach, Houston, +1 713 276 7326,

SEC Investigative Report Warns Public Companies To Prioritize Cybersecurity In Their Accounting Controls – On October 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued an investigative report advising public companies that internal accounting controls should “reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” The report was based on the SEC Enforcement Division’s investigations of nine companies that fell victim to cyber fraud due to “business email compromises” (“BECs”). The frauds involved emails from fake executives or fake vendors who duped company personnel into sending large sums of money to bank accounts controlled by the perpetrators, costing those companies millions of dollars.

In some instances, the BEC schemes lasted months and were only detected after intervention by law enforcement or third parties. The SEC report indicated that each of the nine companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million. Most of those funds were unrecoverable.

The SEC typically issues investigative reports like this one—in lieu of enforcement actions against the companies or individuals involved—to signal the Commission’s views in areas that may be new or previously unclear.

According to a statement issued by the SEC in connection with its report: “Public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly. The FBI estimates fraud involving BECs has cost companies more than $5 billion since 2013.” Co-Director of the Enforcement Division Stephanie Avakian added: “[O]ur report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”

Much of the SEC’s prior enforcement activity related to cybersecurity has focused on regulated entities (broker-dealers, investment advisers, and investment companies), such as in actions pursuing violations of the SEC’s Safeguards Rule and, for the first time in September 2018, violations of the Identity Theft Red Flags Rule, which are designed to safeguard confidential consumer information and to protect customers from identity theft.

The SEC rarely has brought actions against publicly-traded companies that were themselves victims of a cybersecurity incident. Earlier this year, on April 24, Altaba, Inc. (f/d/b/a Yahoo! Inc.) settled charges that it violated Section 17(a)(2) and (3) as well as the disclosure controls provisions of the Exchange Act in connection with its failure to disclose a material data breach for nearly two years. The company paid a $35 million penalty to resolve these charges, which ranked as one of the largest SEC penalties during the past year.

The SEC’s October 16 investigative report further underscores the need for public companies—as well as regulated entities—to consider cybersecurity risk when designing, maintaining, and implementing effective internal accounting controls.

Reporter, Nicole M. Pereira, New York, NY, +1 212 556 2132,
Reporter, Matthew B. Hanson, Washington, DC, +1 202 626 2904,

UK Government Funding For NHS Data Privacy Research – The UK government has invited firms to apply for funding to carry out studies and research into how the National Healthcare Service (“NHS”) can overcome data privacy challenges, including how to comply with the requirements under the EU General Data Protection Regulation (“GDPR”), whilst allowing private companies to use its data for the development of digital technology solutions in the health sector.

The competition, which closes on October 31, 2018, gives UK-based small and medium-sized businesses the opportunity to apply to have up to 70% of their project costs met by a grant from the Digital Health Technology Catalyst (“DHTC”) or Innovate UK (a new body which works in partnership with universities, research organisations, businesses, charities, and government). Up to £9m of funding is being made available in this current round (up to £1m for feasibility studies, and up to £8m for collaborative research and development projects) which is part of the UK government’s longer term strategy to increase the use of digital technology, particularly artificial intelligence, in the NHS in order to achieve efficiencies and improve patient outcomes. The UK government recognises that many digital health innovations are reliant on the use of data, including personal information and health records of individual patients, and that it has strong duties to protect these data and mitigate the risks associated with managing, sharing and exploiting data, particularly in light of the introduction of the GDPR.

The NHS database is widely considered to be one of the most comprehensive sets of health data in the world and many large private firms, particularly from the US, want access to it. The sharing of the data with the healthcare industry promises a much-needed cash boost for the NHS but it also presents a number of issues with regard to ensuring that patient data are properly protected and kept secure. Accordingly, the DHTC is a £35 million fund that will be deployed over 4 years to help address challenges that were identified in the 2016 Accelerated Access Review, including how to keep patient data that are shared by the NHS with private companies safe, and also how to ensure that the NHS is fairly rewarded by those companies for the benefits they receive from access to such data.

A number of solutions have already been proposed. For example, British think-tank Reform suggested in its January 2018 report “Thinking on its own: AI in the NHS,” that NHS data should be pseudonymised, meaning that direct personal identifiers within the database should be replaced with artificial ones so that the identity of the individual cannot be ascertained without looking at additional information which is held separately. Pseudonymisation is explicitly recommended in the GDPR as a way of significantly reducing the risks associated with data processing and complying with the GDPR’s requirements for the safe storage of personal information, whilst maintaining the utility of the data for analytical purposes (see, for example, Article 6(4)(e) of the GDPR).

Also, in September 2018, the UK government published a draft code of conduct for data-driven health and care technology, which sets out 10 principles for all organisations that have access to NHS data and systems to follow, including being transparent about what data are being used, being able explain to a lay member of the public why the data used were needed, and completing a new Data Security and Protection Toolkit to provide assurance that the organisations are practising good data security and that personal information is handled correctly.

Applicants to the competition will be interviewed over the coming months, and a final decision made in January 2019.

Reporter, Jessica Trevellick, London, +1 44 20 7551 7507,