Earlier this month, Anthem announced that hackers had stolen information on tens of millions of Anthem Inc. customers in a massive data breach that ranks among the largest in corporate history. While the full scope of the damage is still being assessed, the compromised database contained up to 80 million customer records. So far, we do know that the stolen data includes personal information on insureds including names, birthdays, medical identification numbers, Social Security numbers, street addresses, e-mail addresses and employment information, including income data. Anthem has said that the data compromised does not appear to include credit card or medical information.
Anthem, formerly Wellpoint, is the second-largest health insurer in the United States. The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup, and Healthlink. Once identified, affected customers will be contacted by Anthem who will be offering free credit monitoring and identity protection services. In a letter to customers, Anthem CEO, Joseph Swedish, stated, “Anthem’s own associates’ personal information — including my own — was accessed during this security breach. We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data.”
Depending on the nature of the data affected, a breach of health information may require health plans to take certain actions, including notifying affected individuals, and potentially, the Department of Health and Human Services and the media. The obligation to provide notice of a breach of personally identifiable information (e.g., names, Social Security numbers, addresses) and “protected health information” (“PHI”) (enrollment information and individually identifiable health information related to past, present, or future medical care) is governed by both federal and state law. Under the Health Insurance Portability and Accountability Act (“HIPAA”), notice must be provided within 60 days after the breach is discovered and some states require notice to be given even more quickly. In its notice to customers, Anthem acknowledged full ownership of its notice obligations and has publicly stated it intends to notify, by email or letter or both, individuals affected by the data breach.
What’s an employer to do? Whether an employer using Anthem as an insurer has a notice obligation to its affected employees depends on a variety of factors. First, and most importantly, the employer must determine whether and to what extent it receives PHI as part of its ongoing plan administrative duties. For instance, if a health plan is fully insured by Anthem, the employer may not actually acquire, maintain, or transmit the plan’s PHI. If that is the case, under HIPAA, Anthem will retain most notice and disclosure obligations resulting from the breach. On the other hand, if a health plan is self-funded but the employer utilizes Anthem to provide plan administration and/or claims payment services, Anthem is a HIPAA business associate and has a duty under HIPAA to notify the employer of the breach; however, it remains the employer’s duty to notify affected individuals. Regardless of the particular circumstances, Anthem has made it clear they fully intend to notify all affected individuals. Notwithstanding the foregoing, affected employers should review their business associate agreements with Anthem to determine how the agreement allocates notice and disclosure responsibilities in the event of a breach. Further, employers should be aware that their business associate agreements must have been updated to reflect recent changes in applicable law; the changes were required to have been incorporated into agreements by September 2014. If your business associate agreements are outdated, the Anthem breach is a perfect opportunity to revisit those relationships and implement new, HIPAA-compliance agreements.
Will my insurance cover this? Some employers may have adopted cyber insurance policies that may cover circumstances like the Anthem breach. For instance, some cyber policies will cover the cost of legal advice needed to determine the existence and extent of any notice obligation resulting from a breach and may further cover expenses incurred as a result of the breach. Employers with cyber policies should provide formal notice of the breach to their cyber insurers ASAP to secure their right to potential coverage. Similarly, other more common corporate insurance policies, such as director and officer insurance or general liability insurance, may also provide some coverage though many of these will have specific exclusions relating to HIPAA violations or other language that may limit or eliminate coverage.
What should I do now? According to security experts, medical identity theft has become a booming business. Some experts warn that other health care companies are likely to be targeted next due to the fact that this attempt to breach Anthem’s security was so successful. This news coincides with a recent announcement from the U.S. Department of Health and Human Services’ Office for Civil Rights that the next round of HIPAA compliance audits will be implemented “expeditiously.” The first round of audits began in 2012 and the government has long been warning of the impending second round of audits. Sponsors of group health plans would be wise to review and update their internal HIPAA policies and procedures to ensure health plan personnel understand and implement appropriate safeguards to avoid HIPAA violations and implement procedures to address a security breach in the event it occurs. Plan sponsors must evaluate whether and to what extent their personnel and service providers receive PHI and must ensure they have up-to-date, HIPAA-compliant business associate agreements in place with all providers receiving PHI. The penalties for HIPAA violations generally range from $100 to $50,000 per violation and recent settlements resulting from the government’s HIPAA investigations range from $250,000 to $4.8 million.
This breach is an important reminder to employers sponsoring group health plans of their myriad obligations under complicated state and federal laws, including HIPAA. If you are concerned about your company’s exposure to HIPAA violations, contact your McGrath North attorney to discuss your plans and potential risks.