As has now been widely reported, Anthem, Inc. was the unfortunate target of a cyber-attack potentially impacting 80 million current and former customers. Some reports have indicated that the HIPAA breach notification rules will not apply to this breach. However, the information stolen appears to include individually identifiable information, potentially including health plan enrollment information. Enrollment information, in the hands of a health plan, is protected health information (PHI), so it is possible that the HIPAA data breach notification rules are applicable. As such, both insured and self-funded customers utilizing Anthem as their TPA should review information concerning the Anthem breach carefully before concluding that the HIPAA breach notification rules do not apply.
Additionally, given that claims for other Blue Cross Blue Shield customers may have been submitted through Anthem for employees and dependents in an Anthem service area, it is possible that Anthem has information on individuals who are not Anthem customers, but are customers of other Blue plans. Therefore, customers of any Blue Cross Blue Shield insurer should reach out to their contacts to ensure they are not affected.
If the HIPAA breach rules do apply, then Anthem and other Blue customers should also carefully review their applicable business associate agreements. Those agreements should outline the obligations of the Blue Cross entity and the plan administrator (which is often the company) in providing notification to affected individuals.
Finally, while we mostly focus on the benefits issues under federal law, it’s is also important not to neglect state law. States have their own data breach laws that could be applicable to this breach as well, as described in this short bulletin.