On October 16, 2018, Thora Johnson was quoted in Bloomberg Law in an article about how Anthem's $16 million data-breach settlement, which is the largest negotiated by the Health and Human Services (HHS) Office for Civil Rights, may signal that the federal government is about to pick up the pace on privacy and security enforcement.
According to the article, the 2015 data breach exposed the personal records of roughly 79 million people, including Social Security numbers and birth dates.
Commenting on the settlement Ms. Johnson said that Anthem agreed as part of the deal to enter into a two-year corrective action plan with the OCR, signaling the importance the office places on enterprise wide risk assessment.
The corrective action plan requires Anthem to conduct a risk analysis of all electronic protected health information and provide the results to the HHS. Johnson added, risk assessments are typical in most corrective action plans, but in Anthem's case the company must give the OCR a description of how it will conduct a risk assessment before it begins and let the agency weigh in on whether the plan is robust enough.
Many large data breaches were reported in 2015, so more settlements may come soon, said Johnson. "Although it's been a slow start to OCR enforcement this year, it may very likely be picking up."