In U.S. v. Anthem, Inc., No. 20-CV-2593 (ALC) (KHP) (S.D.N.Y. June 12, 2024), New York Magistrate Judge Katharine H. Parker found that “the government has not shown good cause to shift the burden to Anthem to pay for the additional security requested” to safeguard protected health information (PHI) of Anthem’s members, so she ordered the government to pay additional security costs to protect that PHI data – but “without prejudice to a renewed motion under Rule 26 to shift the costs of this enhanced security if Defendant engages in conduct that unreasonably extends discovery so as to increase the costs to Plaintiff.”

Case Discussion and Judge’s Ruling

In this False Claims Act (“FCA”) case against Anthem with claims that Anthem knowingly disregarded its duty to provide accurate information in insurance claims, a core part of the information to be exchanged in the case was the PHI of Anthem’s members. The level of security needed to protect the health data that is turned over to the government in discovery and who should pay for the costs of that security was at issue.

The government had already proposed a robust set of protections for the data that was HITRUST-certified, and the monthly cost already being incurred by the government for this level of security is about $5,000/month. Anthem requested additional protections—most that would come into play in the event of a future data breach—which would cost an additional $4,300/month, including tracking and logging of all activity on the platform, monitoring of internal activity logs, certain data loss prevention controls to mitigate potential security gaps in transfer protocols and more. Anthem contended the additional measures it is seeking are consistent with industry standards and with applicable regulatory guidance.

Judge Parker stated: “Under the federal rules, there is a presumption that the responding party bears the expense of complying with and responding to discovery requests and of preserving its own information for litigation…Who should bear the cost of maintaining the security of data turned over in litigation is a slightly different question. It is typical for Courts to issue protective orders governing discovery, but those orders do not usually address secure storage of data or who bears the costs of protecting electronically stored information produced in discovery.” She also noted: “the protective order in this case…allows the producing party to specify the minimum level of security expected…It does not address cost-shifting in the event the receiving party disputes the level of protection specified by the producing party.”

Judge Parker also noted that “one of the government’s vendors experienced a ransomware attack that compromised some of Anthem’s data, resulting in the vendor having to send notice to impacted individuals, pay for two-years of credit monitoring, and a lawsuit…Accordingly, Anthem is rightfully concerned about the protection of its data in this case.”

So, Judge Parker identified four “non-exclusive factors as relevant to determining whether there is good cause to shift all or a portion of costs of data security measures from the receiving party to the producing party”. They were:

• Nature of the Information: Recognizing that the information at issue included sensitive personal and health data, which is often targeted in cyberattacks and requires strong protection, Judge Parker stated: “Given these risks, and particularly given the previous breach, Anthem’s concern for the security of the data is reasonable and this factor weighs against shifting the costs of that security to Anthem.”
• Reasonableness of Security Measures: Judge Parker evaluated the additional security measures proposed by Anthem, stating: “It is not clear how much additional risk will be mitigated from the additional measures proposed by Anthem. Ultimately, the only technical opinion offered by the parties is from Anthem’s head of Cybersecurity Threat Management, whose declaration identifies specific vulnerabilities in the government’s proposal…Therefore, this factor also weighs against shifting the costs of data security to Anthem.”
• Cost Relative to the Amount in Controversy: Judge Parker considered the costs of the additional security measures ($60,000 annually) relative to the amount in controversy, which was in the millions and stated: “Therefore, the annual costs of the additional security measures are a rounding error relative to the entire amount in controversy, and this factor also weighs against shifting the costs of data security to Anthem.”
• Relative Ability to Pay: Judge Parker also examined the financial capabilities of both parties and found them both well-resourced, stating: “On the whole, this factor weighs sightly in favor of shifting the costs of data security to Anthem, but not as strongly as in a situation where there is a greater financial disparity between the parties.”

Finding the factors weighed against shifting the burden to Anthem to pay for the additional security requested, Judge Parker ordered the government to pay additional security costs to protect that PHI data. She also stated: “However, this decision is without prejudice to a renewed motion under Rule 26 to shift the costs of this enhanced security if Defendant engages in conduct that unreasonably extends discovery so as to increase the costs to Plaintiff.”

So, what do you think? Should the government pay additional security costs to protect that PHI data that Anthem requested? Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant, an Affinity partner of eDiscovery Today.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.