The well-publicized cyber-attack on Anthem, Inc.’s information technology system may require employers to take prompt action to protect the rights of their health plan participants. Although neither the scope nor the cause of the security breach has yet been determined, the attack has been described as both “massive” and “sophisticated.” And because all of the 37 independent, locally operated Blue Cross Blue Shield entities across the United States and Puerto Rico that form the Blue Cross Blue Shield system may share claims processing information with Anthem, virtually all plans that are insured or administered by a Blue Cross entity will be affected.

The Anthem security breach raises privacy and security issues under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, as well as fiduciary issues under ERISA. As reported in our September 25, 2009, article, regulations issued by the Department of Health and Human Services in 2009 under the HITECH Act created new notification requirements when a data breach compromises the security or privacy of unsecured protected health information. Although some commentators originally believed that Anthem’s breach did not implicate these notice requirements because medical information apparently was not included in the compromised data, that conclusion may have been premature.

Anthem allegedly discovered the breach on January 29, 2015. Information released so far indicates that the attackers gained access to personal information from individuals who are current and former members of Anthem’s associated health plans, as well as individuals covered under other Blue Cross plans. Anthem’s preliminary investigation shows that the personal information accessed may have included names, health plan identification numbers, dates of birth, addresses (both physical and e-mail), phone numbers, employment information, income data, and Social Security numbers.

The HIPAA breach notification rule is triggered if unencrypted protected health information (“PHI”) is accessed without authorization. The definition of PHI is broad enough to include the kinds of individually identifiable information that was disclosed (such as names, addresses, dates of birth, and Social Security numbers), even if that data did not include diagnostic or treatment information. Anthem appears to be treating the disclosed information as PHI, because its public notice is consistent with HIPAA’s breach notification rules.

If, in fact, the Anthem attack amounts to a breach of unsecured PHI, it will trigger a series of time-sensitive notice requirements. Those requirements apply both to Anthem and its Blue Cross affiliates – as business associates to the health plans they serve – and to those plans themselves, as covered entities under HIPAA. Under the breach notification rule, business associates must notify covered entities of any covered breach, and covered entities then must notify affected individuals (and potentially the media and HHS).

For those employers who have already received information about the Anthem attack from Anthem or their Blue Cross provider, the notice clock may already have started ticking. Generally, covered entities (i.e., health plans) must give notice to individuals affected by a breach “without unreasonable delay,” but not later than 60 days after the covered entity is informed of the breach by its business associate. Correspondence we have seen from Anthem and local Blue Cross entities to plan sponsors in recent weeks may be sufficient to trigger the covered entity notice requirement. And unless the business associate agreement between the plan and its Blue Cross service provider contractually shifts the obligation to notify affected individuals, that obligation rests with the plan.

Even if the Anthem breach does not amount to a privacy violation that triggers the HIPAA breach notification requirement, it is certainly an event that should garner the attention of plan fiduciaries under ERISA. Plan fiduciaries are obligated to act prudently and with the best interests of participants and beneficiaries in mind, whether the plan is self-funded or fully insured. Regardless of whether sensitive health information was compromised in the breach, Anthem has acknowledged that other personal information – including Social Security numbers, bank account information, and income data – may have been disclosed. At a minimum, plan fiduciaries should take steps to ensure that Anthem and/or the Blue Cross entity with whom the plan has engaged provide adequate identity protection and credit monitoring services to affected participants.

As this situation continues to develop, we encourage plan sponsors and fiduciaries to be proactive in their response. Action steps could include:

  • Asking for written assurances from the plan’s Anthem or Blue Cross administrators that the plan and its data were not affected by the Anthem attack. If plan fiduciaries are unable to obtain such assurances within a reasonable time, and if the plan has had an administrative or insurance relationship with a Blue Cross entity since 2004, the fiduciaries should assume that the plan is affected.  
  • Asking the plan’s Anthem or Blue Cross representatives whether they are treating the Anthem incident as a “breach of unsecured protected health information,” within the meaning of the breach notification rule. The answer to this question will help determine whether the plan’s notification obligation has been triggered.  
  • Reviewing the terms of the plan’s privacy policies and procedures, business associate agreements, insurance policy, and/or administrative services agreements to determine whether Anthem or a Blue Cross affiliate has assumed the responsibility to discharge any breach notification obligations the plan itself might otherwise have as a covered entity.  
  • Evaluating the scope of any indemnification obligation contained in the plan’s agreements with Anthem or other Blue Cross entity.  
  • Reviewing the plan’s fiduciary liability insurance policy to determine whether it covers HIPAA violations, and if so, whether the Anthem incident requires the plan to notify the carrier of a potential claim.  
  • Issuing a written demand from the plan’s fiduciaries that Anthem and/or the plan’s Blue Cross provider keep the fiduciaries informed of the steps Anthem is taking to remedy any damage caused by the security breach.