In early February 2015, Anthem, Inc. reported that on January 29, 2015, it had discovered that it was the target of “a very sophisticated external cyber attack.”  Anthem believes the attack happened over the course of several weeks, starting on December 10, 2014.  Accessed information may have included the names, dates of birth, social security numbers, home addresses, email addresses, and income data of current or former members of one of Anthem’s affiliated health plans, or one of the health plans that Anthem provides administrative services to.  Anthem is one of the largest health insurance companies in the United States, and one of the largest service provider to self-funded group health plans and Blue Cross and Blue Shield plans across the country.  Over 300,000 Minnesotans may have been affected by this breach.

What this means for you:

  • If you are one of the individuals that were directly affected by this breach, you should take advantage of the credit monitoring protection offered by Anthem and continue to watch your banking and other financial accounts for any potential suspicious activity. Anthem will contact affected individuals.  However, if you have not yet been contacted by Anthem, but believe you may have been affected by the breach, you can contact Anthem directly by calling (877) 263-7995.
  • If you represent an employer that sponsors a group health plan insured or administered by Anthem, you may need to provide notice to the participants in your plan, and may need to provide notice of the breach to the Department of Health and Human Services (HHS), as required by the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). Some state laws also require notifications in these types of instances.  As a result, you should contact your company’s employee benefits counsel to determine specifically what notice requirements apply in this case.  Anthem may take the lead in fulfilling any notice requirements that apply to your plan, especially if Anthem fully insures the plan.  However, as the plan sponsor, your company is generally ultimately responsible for making sure all HIPAA requirements are met, especially if the plan is self-insured and Anthem only serves as the claims administrator. In addition, you should consult your plan’s HIPAA privacy and security policies to determine if further actions are required due to this breach.  HIPAA generally requires all group health plans have privacy and security policies and procedures.  Therefore, you should make sure you have HIPAA compliant policies and procedures in place for your plan, and that you are following them.  Anthem will contact affected plan sponsors.  However, if you have not yet been contacted by Anthem, but believe your plan may have been affected by the breach, you can contact Anthem directly by calling (877) 263-7995.
  • If you represent an employer that sponsors a group health plan that is not insured or administered by Anthem, you should still familiarize yourself with this breach for two reasons. First, you still may get questions from employees wondering if they are affected.  Second, it can serve as a good test of your HIPAA privacy and security policies and procedures.  HIPAA generally requires all group health plans have privacy and security policies and procedures.  If you do not have such policies and procedures, this serves as a good reminder to implement such policies and procedures as soon as possible.  You can be thankful that your plan was not affected this time.  But you may not be so lucky next time.  In addition, even if your plan is never affected by a breach, HHS has the authority, and regularly exercises such authority, to audit group health plans for HIPAA compliance, and to assess significant fines for noncompliance.  Therefore, you should make sure you have HIPAA compliant policies and procedures in place for your plan, and that you are following them.
  • If your company provides services to another company, and in the course of providing such services, your company receives, transmits, stores, or otherwise has access to certain health information of individuals, your company may be considered a “business associate” under HIPAA. In that case, HIPAA imposes direct liability on your company for certain HIPAA requirements, and your clients will also expect your company to be HIPAA compliant.  As a result of the Anthem breach, your clients may be more interested in your HIPAA policies and procedures, since they do not want to risk being responsible for a HIPAA violation that was caused by your company.  Therefore, you should also make sure you have HIPAA compliant policies and procedures in place for your company, and that you are following them.

Takeaway:  Clearly if you were directly affected by the Anthem breach, either as an individual whose personal data may have been compromised, or as the representative of a company that sponsors a group health plan insured or administered by Anthem, you should take immediate action to obtain credit monitoring (in the case of an individual) or consult with your company’s employee benefits counsel regarding HIPAA notification requirements.  However, even if you were not directly affected by this data breach,  if you represent a company that sponsors a group health plan and/or your company is a “business associate,” this data breach serves as a good reminder to make sure you are in compliance with HIPAA.  At a minimum you should have, and be following, HIPAA compliant policies and procedures.  Two of the most important policies are to conduct a comprehensive security risk assessment and to conduct on-going employee training.  If you do not currently have HIPAA compliant policies and procedures, or you are not sure if they are HIPAA compliant, you should contact your company’s employee benefits counsel as soon as possible.