Anthem Inc. (Anthem), the nation's second-largest health
insurer, revealed late on Wednesday, February 4 that it was the victim of a
significant cyber-attack. According to Anthem, the attack exposed personal information
of approximately 80 million individuals, including those insured by related
Anthem companies. Anthem has reported that the exposed information includes
member names, member health ID and Social Security numbers, dates of birth,
addresses, telephone numbers, email addresses and employment information. The
investigation of the massive data breach is ongoing, and media outlets have
reported that class action suits have already been filed against Anthem in
California and Alabama, claiming that lax Anthem security measures contributed
to this incident.
Employers, multiemployer health plans, and others
responsible for employee health benefit programs should take note that the
Health Insurance Portability and Accountability Act (HIPAA) and state data breach
notification laws may hold them responsible for ensuring that certain
notifications are made related to the incident. The nature of these obligations
will depend on whether the benefits offered through Anthem are provided under
an insurance policy, and so are considered to be "fully insured," or
whether the Anthem benefits are provided under a "self-insured"
arrangement, where Anthem does not insure the benefits, but instead administers
the benefits. The most significant legal obligations on the part of employers,
multiemployer health plans, and others responsible for employee health benefit
programs will apply to Anthem benefits that are self-insured.
Where notifications must be made, the notifications may be
due to former and present employees and their dependents, government agencies,
and the media. Where HIPAA applies, the
notifications will need to be made "without unreasonable delay" and
in any event no later than 60 days after the employer or other responsible
party becomes aware that the breach has affected its own health plan
participants. Where state data breach laws apply, notifications generally must
be made in the most expedient time possible and without unreasonable delay,
subject to certain permitted delays. Some state laws impose outside timeframes
as short as 30 days. Under the state laws, reporting obligations on the part of
employers, multiemployer health plans, and others responsible for employee
health benefit programs will generally turn on whether they, or Anthem,
"own" the breached data. Since the state laws apply to breaches of
data of their residents, regardless of the states in which the compromised
entities and data owners are located, and since former employees and dependents
could reside anywhere, a comprehensive state law analysis is required to
determine the legal requirements arising from this data breach. Fortunately,
depending on the circumstances, some (but not all) state data breach
notification laws defer to HIPAA breach notification procedures, and do not
require additional action where HIPAA applies and is followed.
As potentially affected parties wait for confirmation from
Anthem as to whether any of their employees, former employees or their covered
dependents has had their data compromised, we recommend that affected parties
work with their legal counsel to determine what their responsibilities, if any,
might be to respond to this incident. Among other things, for self-insured
arrangements, HIPAA business associate agreements and other contracts with
Anthem should be reviewed to assess how data breaches are addressed, whether
data ownership has been addressed by contract, and whether indemnification
provisions may apply. Consideration should also be given to promptly reaching
out to Anthem to clarify the extent to which Anthem will be addressing
notification responsibilities. Once parties are in a position to make required
notifications, we also recommend that companies consult with legal counsel to
review the notifications and the distribution plans for those notifications to
assure that applicable legal requirements have been satisfied.
Please visit their dedicated website, www.anthemfacts.com, where members can access information such as frequent questions and answers. To view frequently asked questions, visit www.anthemfacts.com/faq. Anthem has also established a toll-free number that members can call with questions regarding the incident: 1-877-263-7995.
Find us on: