This morning, Anthem Blue Cross and Blue Shield, one of the largest health insurers in the country, notified its policyholders, members, and business partners that it was recently the target of an external cyber attack that appears to have comprised the confidentiality of medical and other personal information maintained on its information technology (IT) system. The information at issue includes names, birthdays, medical identification numbers, Social Security numbers, addresses, employment information, and other similar information of more than 80 million current and former members. The notices that Anthem delivered to those potentially affected by the attack indicate that this attack did not compromise medical or credit card information.
An employer facing news that its insurer or third-party administrator (TPA) has experienced a data breach may find such news alarming and, at times, confusing. Even if no medical information was compromised, identifying information associated with a means of paying for medical services—such as information concerning current or former members’ enrollment in health insurance or information about members’ health claims from a TPA—generally qualifies as protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is true even if neither diagnostic codes nor other sensitive information is included among the identifying information. Accordingly, if a plan participant’s name, Social Security number, address, or other identifying information were compromised while held by an insurer or TPA, that would constitute a breach for purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA. In such a situation, state-level breach notification laws also are likely to be implicated.
As employers consider how to respond on behalf of their health plans, it is important to note that employers’ obligations will depend on the nature of the relationship between the employer and its health plan and the insurer or TPA.
- Insured Plan—If the plan is insured, the insurer is the covered entity responsible for investigating the situation, undertaking appropriate mitigating measures, and providing all required notices to plan participants, regulators, and, in some instances, the media.
- Self-Funded Plan—If the plan is self-insured, the responsibility for investigating a breach and providing any required notice, by default, falls on the plan and the employer as its sponsor. If, as is typically the case, however, the employer has outsourced the claims administration role, the TPA may have the contractual obligation for assessing and responding to the breach. At a minimum, the TPA will have a notice obligation to the plan/employer and a responsibility to provide details surrounding the breach. Employers should review the relevant contract documents and determine where responsibility for response, remedial, and notification measures rests.
For life insurance and other non-health coverage and benefit services that Anthem offers, HIPAA and HITECH may not apply. However, when crafting a response, employers should consider their role as a fiduciary of the benefit plan as well as employee relations. It may be prudent for an employer to reach out to employees, sharing information sent to it by Anthem regarding the breach, as well as to follow up with Anthem representatives to get a better understanding of how the breach is being addressed for its employees.
In all cases, under state breach notification laws, generally the party that held the data when the breach occurred is responsible for issuing the notice. State laws govern who must provide notice and define the contents and recipients of such notices. Accordingly, employers should identify the implicated states and comply with their obligations in the relevant jurisdictions.
Action Items for Employers
Initial action items for employers in this situation include the following:
- Define the relationship between the employer’s health plan and Anthem. Is Anthem acting as an insurer or as a TPA for the plan?
- If the plan is insured, the notification obligation resides primarily with Anthem, and based on Anthem’s public communications thus far, it appears that Anthem is proceeding with the mitigation and notice process already. In addition to notifying the affected individuals, employers should review their insurance contract documents and evaluate their provisions regarding data privacy and security. Ultimately, if the plan is fully insured, Anthem should be responsible for HIPAA and HITECH compliance and the proper issuer of notices under state data breach laws.
- If the plan is self-insured and Anthem serves as TPA, the employer should closely examine its service contract and “business associate agreement.” In particular, the employer should focus on the breach assessment and notice provisions and determine who is responsible for evaluating possible breaches and issuing required notifications to the affected individuals. Examine the information that Anthem has provided regarding its handling of the breach and make sure that those actions coincide with the contractual provisions, HIPAA, HITECH, and applicable state breach notification laws.
- If the employer retains responsibility to provide the required notice, determine whose data was compromised, identify the actions required to protect the data and mitigate harm, and prepare the notices necessary to comply with the plan’s obligations under HIPAA and state law. The employer will likely need to work with Anthem to collect the detailed information necessary to prepare the required notices, and Anthem has an obligation to provide the employer with the information necessary to prepare that notice. Additional information about breach response under HIPAA and HITECH, is available in Timothy Stanton’s and Aimee Dreiss’s January 2013 article on this subject, “No Harm, No Foul, No More—New HIPAA “Breach” Standards Seek to Provide Consistency, Objectivity.”
- Consider additional steps the employer should take to mitigate any harm caused by the breach. Review the service agreement and business associate agreement for any provisions governing mitigation obligations and indemnification clauses for the employer’s ability to recover for costs related to the breach.
Although Anthem was the victim of this particular cyber attack, recent large-scale data breaches with major retailers and financial institutions demonstrate that all forms of sensitive personal information can be vulnerable to exploitation, and the employee benefits world is certainly not immune from these challenges. Other major health insurers and benefits consultants, insurance brokers, and third-party administrators are likely vulnerable to similar attacks in the future, and employers should be prepared to respond quickly in the event their plans or business partners are affected.