Health+Benefits the April 2015 issue

A New Anthem

Will you be singing “The Data Breach Blues”?
By Scott Sinder Posted on March 25, 2015

The breach affected not only Anthem clients but also clients of other Blues companies that partner with Anthem. Many of your employer clients are now asking how this affects their company. The answer (in classic lawyerly fashion): It depends.

Review Client Status/Contracts

Anthem’s data breach affects direct insureds in individual and group markets as well as self-insured plans in which Anthem, or one of its Blues partners, acts as a service provider. This is generally as a third-party administrator to the employer. In the latter case, any employer that is self-insured and uses Anthem probably has obligations for independent data breach investigation, notification and remediation to anyone currently insured under its self-insured plans unless Anthem was delegated those obligations by contract. Your self-insured clients therefore should review their contracts to determine the extent to which any of the breach-related obligations have been delegated.

Breach-Related Obligations

To the extent these obligations have not been delegated, your self-insured clients will have independent breach-related obligations under both federal and state law. It does not appear that any medical information was compromised in the Anthem breach. Anthem has acknowledged, however, that consumer names, addresses, Social Security numbers and health account numbers might have been compromised. Because this data all relates to healthcare coverage for consumers, the protections and obligations imposed by the Health Insurance Portability and Accountability Act (HIPAA) likely apply. Penalties for non-compliance can go up to $100 per day but are capped at $1.5 million per incident.

In addition, every state except Alabama, New Mexico and South Carolina, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, impose their own data breach notification requirements. Ten of those states—Arizona, Arkansas, California, Hawaii, Indiana, Kansas, Kentucky, Michigan, New Hampshire and Rhode Island—exempt an entity subject to HIPAA from their state disclosure and penalty regimes as long as the entity satisfies HIPAA data breach notification requirements. State penalties for non-compliance range from hundreds of dollars to as much as $5,000 per day.

In addition, 16 states—Alaska, California, Colorado, Hawaii, Illinois, Louisiana, Minnesota, Nevada, New Hampshire, North Carolina, Oregon, South Carolina, Tennessee, Virginia and Washington—and the District of Columbia, Puerto Rico and the U.S. Virgin Islands provide a private right of action for individuals to sue for non-compliance with their disclosure regimes.

HIPAA requires the owner or licensor of the compromised data to notify potentially affected consumers within 60 days of discovering the breach. For self-insured plans, the employer or the plan itself will be the data owner. The notice generally must include:

  • The types of data that were breached
  • The steps the individual can take to protect himself or herself going forward
  • What is being done to eliminate the breach issues going forward
  • Contact information for questions.

Anthem has set up a website through which it provides all of the requisite information: www.anthemfacts.com.

State breach notification laws generally require companies to provide the same types of information, but the laws differ with respect to when the notifications need to be provided; to whom (the exceptions vary widely); and the method of providing notice. A survey of all of the applicable state breach notification laws and their requirements is included in Steptoe’s data breach response toolkit at www.steptoe.com/databreach. 

What Next? 

No doubt the Anthem breach will be viewed as just one in a long line of high-profile data breaches—not the first and inevitably not the last. Although you and your clients cannot completely eliminate the cyber-risk exposure (particularly with respect to third-party vendors like Anthem), you can minimize it. You should also have a plan in place so you are ready for the next event.

You and your clients might want to consider:

  • Identifying and mapping the data in your possession and data for which you may be responsible (like the Anthem beneficiary data for self-insured plans)
  • Evaluating and updating your network security and access control measures and protocols
  • Reviewing your contracts with vendors and business partners to ensure they properly address the responsibility for data security (and that they include audit rights)
  • Reviewing and updating your privacy notices and practices to ensure that you are actually doing what you say you are doing
  • Making sure your insurance coverage is adequate to recover the potentially catastrophic costs of a breach, including response, remediation and litigation costs
  • Focusing a component of any due diligence in M&A-type transactions on your potential partner’s cyber-security systems and protocols, because when you buy another firm, you are buying its data and any data security problems it might have.
When you buy another firm, you are buying its data and any data security problems it might have.

Finally, you and your clients should maintain an up-to-date incident response plan and regularly test it to ensure it works. The plan should make clear who would be called in to help when an incident occurs. To minimize your potential liability, your first call should be to your lawyer. As self-serving as that sounds, it’s prudent advice because it allows a breach investigation to commence while maximizing your opportunity to avail yourself of the protections of the attorney-client privilege, which can be critical if litigation ensues. 

Scott Sinder Chief Legal Officer, The Council; Partner, Steptoe Read More

More in Health+Benefits

U.S. Healthcare System Failing New Mothers
Health+Benefits U.S. Healthcare System Failing New Mothers
Q&A with Munira Gunja, Senior Researcher, Commonwealth Fund International Progra...
Health+Benefits Action Needed to Curb Antimicrobial Resistance, Reinsurance CEO Says
The comments from Paul Murray of Swiss Re come as the U.N. General Assembly has ...
Help Wanted, Desperately
Health+Benefits Help Wanted, Desperately
The U.S. healthcare industry could need hundreds of thousands of additional doct...
Options for Ensuring Care
Health+Benefits Options for Ensuring Care
Employers have a number of options for ensuring their staff can access needed he...
The Price of Pharma Promotion
Health+Benefits The Price of Pharma Promotion
Direct-to-consumer pharmaceutical advertising has a real imp...
The Dollars in the Details
Health+Benefits The Dollars in the Details
Newly unveiled healthcare pricing data can combine with disc...