Tag Archives: Anthem

Insurers And Health Plans—Do You Have Your HIPAA House In Order?

data breach

In the wake of the Anthem breach, hackers continue to target the healthcare industry.  At the close of May, CareFirst BlueCross BlueShield reported a data breach that was initially discovered last year; however, when the incident was first noticed, the company believed they had adequately taken care of the problem.  CareFirst said at the time it was believed they “had contained the attack and prevented any actual access to member information.” Unfortunately, ten months later, CareFirst discovered that the breach had, in fact, continued.

Information on about 1.1 million individuals was affected by the breach, which CareFirst discovered during an information technology security review conducted in the wake of the attacks on Anthem and Premera. In June 2014, according to CareFirst, hackers gained access to a single database where CareFirst stores data that is entered by members and other individuals in order to access the company’s websites and online services.

This incident offers a clear lesson to other organizations: it is time to review their security procedures and address gaps in protections before it is too late.  Healthcare data is obtained and stored by a variety of entities that are expected to be aware of and acting to prevent these types of risks.  Healthcare data is extremely valuable to criminals, as it can be re-packaged and sold for a number of different criminal campaigns.  In light of these most recent attacks, we are encouraging all our clients to conduct an internal audit of the security protocols and implement HIPAA policies and procedures to prevent exposure to new threats in the technological world.

If you have questions or would like to discuss your HIPAA compliance questions, please contact a member of the McGrath North Privacy and Data Security team.

Share Button

The Anthem Breach – Assessing Employer Notification Requirements

anthem breachOn February 13, 2015, Anthem, Inc. (Anthem) announced that on January 29, 2015, it discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem’s IT system and obtained personal information relating to consumers who were or are currently covered by Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem.  Anthem stated that it believed the suspicious activity may have occurred over the course of several weeks beginning in early December, 2014.  Anthem has reported that the information accessed may have included individual names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information, including income data.  For more information concerning the breach, click here to access the website created by Anthem to update employers about the breach.

Anthem is one of the largest health benefits companies in the United States. Through its affiliated health plans, Anthem companies deliver health benefit solutions through a portfolio of integrated health care plans and related services, along with a range of specialty products such as life and disability insurance benefits, dental, vision, behavioral health benefit services, as well as long term care insurance and flexible spending accounts.  Headquartered in Indianapolis, Indiana, Anthem, Inc. is an independent licensee of the Blue Cross and Blue Shield Association serving members in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin; and specialty plan members in other states.

Employers who have Anthem plans or use Anthem as a third party administrator (TPA) for their health plans should review their plan documents to understand what rights and obligations the parties have in the event of a data security breach.

Federal And State Breach Notification Requirements.  With respect to federal and state breach notification requirements, if protected health information was involved in the attack, the attack was most likely was a breach under HIPAA and subject to the HIPAA breach notification reporting rules.  Given the nature of the information involved in the attack, most clients of Anthem will likely treat the attack as a breach under HIPAA and follow HIPAA’s breach notification reporting rules. In addition, forty seven states have separate breach notification reporting statutes that may be triggered when certain sensitive information (such as Social Security numbers) is breached.  Since the rules vary from state to state, an affected employer will need to determine which State breach notification reporting statutes apply.

What Affected Employers Should Do Now.  While Anthem’s investigation continues, affected employers should consider taking steps now to insure required breach reporting requirements are met.

  • Obligation To Provide HIPAA Breach Notification.  Breach notification obligations under HIPAA may depend on whether an employer’s health plan is fully insured or self-funded; and, if self-funded, whether Anthem has contractual obligations under its business associate agreement (Agreement) with an affected employer to provide the required notification.  If a plan is fully insured, Anthem will likely be obligated to provide the notification.  If a plan is self-funded, Anthem may also be obligated to provide the notification pursuant to its Agreement with the employer. Affected employers should review their Agreement with Anthem to make this determination.
  • Obligation To Provide State Breach Notification.  Under many State breach notification reporting statutes, the party that lost the data is the one responsible for issuing notification of the breach.  A review by an affected employer of the applicable State breach notification reporting statutes will be required to determine its obligation to report the Anthem breach to its employees.  An affected employer should also consider confirming with the respective State Attorney General that following the HIPAA breach notification reporting requirements will satisfy that State’s breach notification reporting requirements.
  • Communication With Employees.  Affected employers should urge employees affected by the Anthem breach to be extra vigilant for “phishing” schemes – targeted emails with embedded links that might seek to gain access to additional information – and any other suspicious written or verbal communications.  Employees should also be encouraged to immediately change their passwords to all sensitive accounts and should monitor credit card and other financial accounts to guard against unusual activity.  In addition, in its communications with its employees regarding the Anthem breach, an affected employer should note that any information regarding the Anthem beach has been provided by Anthem (where applicable), and that employer is not making any representations about the breach or surrounding facts.
  • Review Anthem Mitigation Efforts.  An affected employer should confirm with Anthem the steps currently being taken protect the employer’s employees and other affected individuals.  The affected employer will want to review any agreements with Anthem to determine whether the victim protection, client indemnification, and paid notification being proposed by Anthem are consistent with Anthem’s obligations under such agreements.
Share Button