A DataBreaches opinion piece.
You might think a giant insurer like Anthem, which has experienced at least several breaches over the years — including one of the most significant breaches ever — would understand the importance of transparency by now. Apparently not.
On May 24, Anthem (now known as Elevance Health) posted a notice on its site that began:
May 24, 2022 – Anthem Blue Cross has learned of a data security incident that involved protected health information belonging to certain current and former members contained in the records of one of its legal services providers, Von Behren & Hunter LLP (“VBH”). On May 24, 2022, potentially affected individuals were notified and provided resources to assist them.
On January 24, 2022, VBH became aware of unusual activity within its network and discovered that there had been unauthorized access to the environment. Upon discovering this activity, VBH took steps to secure its environment and initiate an initial investigation to evaluate the scope of the incident. On February 10, 2022, VBH confirmed that certain data was accessed and acquired without authorization during the incident. On April 11, 2022, notifications were mailed to this known affected population.
Following an in-depth and thorough review, on March 25, 2022, VBH determined that some information relating to current and former Anthem members may have been stored on the impacted server. This information may have included name, date of birth, ID number, Health insurance plan name, treatment facility, claim charges, date of service and provider name. A limited number of members have Social Security Numbers disclosed. While there is no evidence indicating that this information has been misused or that this information was even accessed or acquired without authorization, we are providing this notice out of an abundance of caution.
VBH has been in communication with the FBI and will fully cooperate with any investigation.
So how many Anthem members were affected by the VBH breach? It doesn’t say, and there is no submission from Anthem to HHS’s public breach tool on that date that answers that question. There is a submission from VBH to HHS, but it doesn’t indicate whether it is on Anthem’s behalf, other clients, or all VBH clients.
That wasn’t Anthem’s only breach notice posted on their site recently. On August 1, they also posted another member notice:
The Anthem affiliated covered entities have learned of a data security incident that involved protected health information belonging to certain current and former members contained in the records of one of its mail service provider, OneTouchPoint, Inc. (“OTP”). Beginning on August 1, 2022, potentially affected individuals are being notified and provided resources to assist them.
On April 28, 2022, OTP discovered encrypted files on certain computer systems and immediately launched an investigation to determine the nature and scope of the activity, with the assistance of third-party forensic specialists. The investigation determined there was unauthorized access to certain servers beginning on April 27, 2022. While we were unable to say definitively what information was accessed by the unauthorized actor, we are providing this notice of the event in an abundance of caution. OTP has seen no evidence of misuse of any information related to this incident. OTP has been in communication with the FBI and will fully cooperate with any investigation
Information about individuals that could have been accessed included name, address, health care ID number, plan name, provider information, claim number, dates of service, claim received and processed dates, and amounts paid.
How many Anthem members were affected by the OTP incident? Anthem doesn’t say, and there is no recent submission by them on HHS’s public breach tool that would explain this. Furthermore, OTP’s notification to HHS on behalf of numerous covered entities does not break down how many members or patients for each of their covered entities were affected, so although Anthem Affiliated Covered Entities was listed on OTP’s notice, we do not know how many of the more than 1 million individuals reported by OTP to HHS were from Anthem Affiliated Covered Entities.
So Anthem recently had two reportable HIPAA breaches due to business associates. It is not particularly surprising that they do not include the numbers affected in their substitute notices on their site, but it is surprising that they have failed to provide those numbers when asked repeatedly.
On August 6, DataBreaches emailed Anthem to ask how many Anthem members were impacted by each of the two incidents. On August 8, Michael Bowman replied, “Thanks for your email. I will check into this and follow up. Are you on deadline?” DataBreaches responded, “Not on deadline, no. On caffeine. :)”
On August 12, DataBreaches emailed Bowman again to see if he had obtained the answers. He replied, “Thanks for following up. Have you checked with the vendors? They would have all of the details.”
Surely any experienced media person in his role would know that the vendors would not answer those questions. DataBreaches responded:
No, I haven’t checked with the vendors. I am asking Anthem, because under HIPAA, the buck stops with the CE.
And besides, the vendors will only tell me that they can’t answer because of client confidentiality.
So it’s on Anthem to give me the answers. I’m actually surprised it’s taking so long to get an answer.
There was no reply. One week later, on August 19, DataBreaches wrote to Anthem again. This time DataBreaches added Leslie Porras and Stephen Tanal to the email distribution:
I have written to Anthem *multiple* times since August 6 requesting an answer to this query and still have received no appropriate answer from Mr. Bowman. Why is Anthem failing to be transparent and responsive?
Please provide the numbers requested by close of business today.
Bowman responded, dropping the Investor Relations contact off the reply:
Good morning. As I previously mentioned, the vendors are the best to speak to these breaches. Both vendors have published information on the HHS portal, which we have pulled for you in the attached. -Mike
A copy of the useless HHS public breach tool was attached to his email.
DataBreaches replied, now adding Gail Boudreaux, CEO of Anthem (now known as ElevanceHealth) to the distribution:
Michael —
As I had told you on August 12, when you first tried to punt this to the vendors: the vendors would not provide the numbers requested, and they didn’t. I publish data for the healthcare industry each year and am an expert on understanding and interpreting HHS’s public breach tool. Von Behren’s report to HHS, as publicly displayed, does not reveal whether the number they reported is just on behalf of Anthem or if that number is on behalf of another of its clients or on behalf of a few of its clients, etc. It’s not even clear that they are reporting on behalf of Anthem at all from that tool.
And OneTouchPoint’s figure of more than 1 million affected people reported to HHS appears to be on behalf of Anthem affiliated entities *and* numerous other clients of theirs — not just Anthem. See their notice at https://1touchpoint.com/notice-of-data-event
Does Anthem/ElevanceHealth want me to report that Anthem had more than 1 million members affected when I think it’s obvious that Anthem is just one of the clients affected?
I am trying to report accurately. I shouldn’t have to repeat a request for simple answers so many times. Anthem’s repeated failure to provide
the numbers requested is astonishing and the firm should be embarrassed by its lack of transparency.So I will ask one last time before I wind up writing a report that has no numbers but publicly criticizes Anthem/ElevanceHealth’s lack of transparency: please simply give me the actual numbers for Anthem members affected for each of the two HIPAA breaches cited in my original request.
Thank you.
They never replied at all.