Hepler Broom, LLC

Just What the Doctor Ordered: Government Succeeds in Keeping Anthem Data Breach Documents Under Wraps

May 11, 2017

Between December 2014 and January 2015, Anthem Inc., suffered a massive cyberattack on its computer systems, allowing hackers to steal the health and personal information of nearly 80 million people. In re: Anthem, Inc. Data Breach Litigation, — F. Supp.3d —-, No. 16-MC-2210 APM, 2017 WL 680378, at *1 (D.D.C. Feb. 21, 2017). Federal employees (who received their health insurance from Anthem through the Federal Employee Health Benefits Program) were among the victims of the hacking. Id.

On May 13, 2016, the Lead Plaintiffs in the multidistrict litigation served a subpoena on the United States Office of Personnel Management (“OPM”), the agency responsible for negotiating and administering the government’s health insurance contracts with Anthem. Id. The health insurance contract between Anthem and OPM specified that OPM’s Office of the Inspector General (“OIG”) would conduct periodic audits of Anthem’s IT systems. Id. at *1-2. The purpose of these audits was to: (1) assess Anthem’s network security and protocols, and (2) make certain recommendations if the audit revealed vulnerabilities. Id. at *2. In 2013, OIG conducted one such audit of Anthem’s IT systems, which produced a report with certain recommendations. Id. The audit was only partially useful, though; Anthem refused to allow OIG’s auditors to connect their equipment to Anthem’s network. Id. After the 2013 audit concluded, OPM staff discussed amendments to the Anthem contract that would permit them greater access to Anthem’s network. Id.

The subpoena to OPM sought 17 categories of documents relating to the 2013 audit (as well as to a 2015 audit that post-dated the breach). Id. at *3. After narrowing and negotiation, three categories of documents remained at issue:

  1. Audit work papers pertaining to (a) Anthem’s refusal to permit OPM to conduct certain audit testing, and (b) auditor reviews and conclusions about Anthem’s information system security measures and practices.
  2. Meeting write-ups, which documented meetings between auditors and Anthem representatives regarding, amongst other things, Anthem’s network configuration management, security, and risk assessment.
  3. Emails between and amongst federal employees discussing potential changes to federal contracts (including Anthem’s contract) and whether Anthem successfully implemented certain recommendations that OIG made as part of the 2013 Audit.

Id. at *4.

OPM resisted disclosure of these documents, arguing that the documents were protected by either the deliberative process privilege or the law enforcement privilege. Id. (The deliberative process privilege is intended to safeguard the internal process and deliberations by which agencies make their decisions. Id. at *4. The law enforcement privilege aims to protect the integrity of law enforcement techniques, sources, and investigations from certain disclosures.) Id.[1]

The Court largely agreed with OPM’s deliberative process argument. Reviewing the documents in camera, Judge Mehta concluded that agency emails that discussed audit recommendations and the process for evaluating Anthem’s compliance with its federal contract were “precisely the types of agency decision-making processes that the courts should carefully avoid exposing to the public or to private parties.” Id. at *7. Indeed, Judge Mehta found that “all the withheld electronic correspondence between and amongst government actors”—which comprised 243 out of the 267 pages at issue—was “subject to the deliberative process privilege.” Id. at *9. And while the deliberative process privilege is not absolute, the Court found that the Lead Plaintiffs had not sufficiently shown that their need to use the documents outweighed the Government’s interest in withholding the documents. Id. at *10. The Court did, however, order the disclosure of: write-ups and written reports relating to Anthem’s configuration, management, network security, special investigations, and fraud; certain policy statements; sign-in sheets; and information request memoranda. Id. at *12.

While some of the circumstances of the case are unique to the processes of a government agency, the Anthem case illustrates the importance of conducting comprehensive audits of a service provider’s IT network and a client’s ability to contract for this right.

___________

[1] The Court was not persuaded by the law enforcement privilege argument. See id. at *11-12. Even assuming the privilege was broad enough to encompass the materials at issue, the Court found that the balance of interests warranted disclosure. Id. at *12.