This post is excerpted from an article Honored in the Breach: Employer Action Items for an Insurer Data Breach, written by Timothy G. Verrall (Houston), Stephen A. Riga (Indianapolis), and Danielle Vanderzanden (Boston), which appeared on Ogletree Deakins Blog.
On February 5, 2015, Anthem Blue Cross and Blue Shield, one of the largest health insurers in the country, notified its policyholders, members, and business partners that it recently had been the target of an external cyber attack. The attack appears to have comprised the confidentiality of medical and other personal information maintained on Anthem’s information technology (IT) system.
The information at issue includes names, birthdays, medical identification numbers, Social Security numbers, addresses, employment information, and other similar information of over 80 million current and former members. The notices that Anthem delivered to those potentially affected by the attack indicate that this attack did not compromise medical or credit card information.
An employer facing news that its insurer or third-party administrator (TPA) has experienced a data breach may find such news both confusing and alarming. Even if no medical information was compromised, identifying information associated with a means of paying for medical services—such as current or former members’ enrollment in health insurance, or information about members’ health claims from a TPA—qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is true even if neither diagnostic codes nor other sensitive information is included among the identifying information.
If a plan participant’s name, Social Security number, address, or other identifying information were to be compromised while held by an insurer or TPA, such disclosure would constitute a breach for purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA. In that situation, state-level breach notification laws also are likely to be implicated.
As companies consider how to respond on behalf of their health plans, employers’ obligations will depend on the relationship between that employer and its health plan and the insurer or TPA.
- Insured Plan—If the plan is insured, the insurer is the covered entity responsible for investigating the situation, undertaking appropriate mitigating measures, and providing all required notices to plan participants, regulators, and, sometimes, the media.
- Self-Funded Plan—If the plan is self-insured, the responsibility for investigating a breach and providing any required notice, by default, falls on the plan and the employer as its sponsor. If, however, the employer has outsourced the claims administration role (as is typically the case), the TPA may have the contractual obligation for assessing and responding to the breach. At a minimum, the TPA will have a notice obligation to the plan/employer and a responsibility to provide details surrounding the breach.
In all cases, under state breach notification laws the party that held the data when the breach occurred is responsible for issuing the notice. State laws govern who must provide notice and define the contents and recipients of such notices. Employers should identify the implicated states and comply with their obligations in the relevant jurisdictions.
Action Items for Employers Regarding Anthem
Initial action items for employers include:
- Define the relationship between the employer’s health plan and Anthem. Is Anthem acting as an insurer or as a TPA for the plan?
- If the plan is insured, the notification obligation resides primarily with Anthem, and based on Anthem’s public communications thus far, it appears that Anthem is proceeding with the mitigation and notice process.
- Besides notifying the affected individuals, employers should review their insurance contract documents and evaluate their provisions regarding data privacy and security. Ultimately, if the plan is fully insured, Anthem should be responsible for HIPAA and HITECH compliance and the proper issuer of notices under state data breach laws.
- If the plan is self-insured and Anthem serves as TPA, the employer should closely examine its service contract and “business associate agreement.” In particular, the employer should focus on the breach assessment and notice provisions and determine who is responsible for evaluating possible breaches and issuing required notifications to the affected individuals.
- Examine the information that Anthem has provided regarding its handling of the breach and make sure that those actions coincide with the contractual provisions, HIPAA, HITECH, and applicable state breach notification laws.
- If the employer retains responsibility to provide the required notice, determine whose data was compromised, identify the actions required to protect the data and mitigate harm, and prepare the notices necessary to comply with the plan’s obligations under HIPAA and state law.
- The employer must likely work with Anthem to collect the detailed information to prepare the required notices, and Anthem has an obligation to provide the employer with the information to prepare that notice. Additional information about breach response under HIPAA and HITECH, is available in a prior article on this subject, “No Harm, No Foul, No More—New HIPAA “Breach” Standards Seek to Provide Consistency, Objectivity.”
- Consider additional steps the employer should take to mitigate any harm caused by the breach. Review the service agreement and business associate agreement for any provisions governing mitigation obligations and indemnification clauses for the employer’s ability to recover for costs related to the breach.
Although Anthem was the victim of this cyber attack, recent large-scale data breaches with major retailers and financial institutions demonstrate that all forms of sensitive personal information can be vulnerable to exploitation, and the employee benefits world is not immune from these challenges. Other major health insurers and benefits consultants, insurance brokers, and third-party administrators are likely vulnerable to similar attacks in the future, and employers should be prepared to respond quickly if their plans or business partners are affected.