On February 5, as you are all too well aware, Anthem Blue Cross and Blue Shield disclosed it had experienced a data breach in late December that it believes compromised the confidentiality of personal information.
The breach affected not only Anthem clients but also clients of other Blues companies that partner with Anthem. Many of your employer clients are now asking how this affects their company. The answer (in classic lawyerly fashion): It depends.
Review Client Status/Contracts
Anthem’s data breach affects direct insureds in individual and group markets as well as self-insured plans in which Anthem, or one of its Blues partners, acts as a service provider. This is generally as a third-party administrator to the employer. In the latter case, any employer that is self-insured and uses Anthem probably has obligations for independent data breach investigation, notification and remediation to anyone currently insured under its self-insured plans unless Anthem was delegated those obligations by contract. Your self-insured clients therefore should review their contracts to determine the extent to which any of the breach-related obligations have been delegated.
Breach-Related Obligations
To the extent these obligations have not been delegated, your self-insured clients will have independent breach-related obligations under both federal and state law. It does not appear that any medical information was compromised in the Anthem breach. Anthem has acknowledged, however, that consumer names, addresses, Social Security numbers and health account numbers might have been compromised. Because this data all relates to healthcare coverage for consumers, the protections and obligations imposed by the Health Insurance Portability and Accountability Act (HIPAA) likely apply. Penalties for non-compliance can go up to $100 per day but are capped at $1.5 million per incident.
In addition, every state except Alabama, New Mexico and South Carolina, as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, impose their own data breach notification requirements. Ten of those states—Arizona, Arkansas, California, Hawaii, Indiana, Kansas, Kentucky, Michigan, New Hampshire and Rhode Island—exempt an entity subject to HIPAA from their state disclosure and penalty regimes as long as the entity satisfies HIPAA data breach notification requirements. State penalties for non-compliance range from hundreds of dollars to as much as $5,000 per day.
In addition, 16 states—Alaska, California, Colorado, Hawaii, Illinois, Louisiana, Minnesota, Nevada, New Hampshire, North Carolina, Oregon, South Carolina, Tennessee, Virginia and Washington—and the District of Columbia, Puerto Rico and the U.S. Virgin Islands provide a private right of action for individuals to sue for non-compliance with their disclosure regimes.
HIPAA requires the owner or licensor of the compromised data to notify potentially affected consumers within 60 days of discovering the breach. For self-insured plans, the employer or the plan itself will be the data owner. The notice generally must include:
- The types of data that were breached
- The steps the individual can take to protect himself or herself going forward
- What is being done to eliminate the breach issues going forward
- Contact information for questions.
Anthem has set up a website through which it provides all of the requisite information: www.anthemfacts.com.
State breach notification laws generally require companies to provide the same types of information, but the laws differ with respect to when the notifications need to be provided; to whom (the exceptions vary widely); and the method of providing notice. A survey of all of the applicable state breach notification laws and their requirements is included in Steptoe’s data breach response toolkit at www.steptoe.com/databreach.
What Next?
No doubt the Anthem breach will be viewed as just one in a long line of high-profile data breaches—not the first and inevitably not the last. Although you and your clients cannot completely eliminate the cyber-risk exposure (particularly with respect to third-party vendors like Anthem), you can minimize it. You should also have a plan in place so you are ready for the next event.
You and your clients might want to consider:
- Identifying and mapping the data in your possession and data for which you may be responsible (like the Anthem beneficiary data for self-insured plans)
- Evaluating and updating your network security and access control measures and protocols
- Reviewing your contracts with vendors and business partners to ensure they properly address the responsibility for data security (and that they include audit rights)
- Reviewing and updating your privacy notices and practices to ensure that you are actually doing what you say you are doing
- Making sure your insurance coverage is adequate to recover the potentially catastrophic costs of a breach, including response, remediation and litigation costs
- Focusing a component of any due diligence in M&A-type transactions on your potential partner’s cyber-security systems and protocols, because when you buy another firm, you are buying its data and any data security problems it might have.
Finally, you and your clients should maintain an up-to-date incident response plan and regularly test it to ensure it works. The plan should make clear who would be called in to help when an incident occurs. To minimize your potential liability, your first call should be to your lawyer. As self-serving as that sounds, it’s prudent advice because it allows a breach investigation to commence while maximizing your opportunity to avail yourself of the protections of the attorney-client privilege, which can be critical if litigation ensues.