In late September, Anthem Inc. entered into a $39.5 million settlement for a 2014 data breach that affected nearly 79 million individuals.[1] About a week later, CHS/Community Health Systems Inc. agreed to pay $5 million for a breach that same year; 6.1 million records had been hacked.[2]
Premera Blue Cross, in July of last year, agreed to pay $10 million for its 2015 breach that exposed the protected health information (PHI) of more than 10.4 million people.[3] More than half of that amount—$5.4 million—went to Washington State alone, as its state Attorney General (AG) Bob Ferguson had spearheaded the investigation.
Because these payments all came amid costly settlements announced by the HHS Office for Civil Rights (with the same organizations), HIPAA privacy and security officials might have missed the fact that all four settlements were not with OCR but were negotiated by state AGs working together.
Just two years after the first multistate agreement related to a data breach—the $900,000 settlement with Medical Informatics Engineering[4] —the AG community is now motivated and experienced when it comes to pursuing such settlements, explained Jonathan Skrmetti, Tennessee’s chief deputy attorney general. Covered entities (CEs) and business associates (BAs) that experience breaches affecting multiple states should expect attention from groups of AGs working together, according to Skrmetti, whose office led the CHS settlement.
“Most large-scale HIPAA breaches, because they involve patients in multiple states—often many states—are going to provoke multistate coordination” from the attorneys general, said Skrmetti, adding that the state AG “community is highly coordinated.” Skrmetti made his remarks at the 2020 Healthcare Enforcement Compliance Conference, sponsored by the Health Care Compliance Association, which publishes RPP.[5]
CEs and BAs may be familiar with cases that AGs more typically handle individually within their own state, but Skrmetti said there is also “a lot of multistate activity.” The Premera settlement brought together 30 state AGs; CHS involved 28; and Anthem, 43. The Medical Informatics Engineering settlement, brokered by Indiana, included 15 other states.