On January 29, 2015, Anthem Inc., one of the largest managed health care companies in the country, disclosed that the sensitive personal data of almost 80 million current and former participants in its network was breached in a cyber attack. This breach also impacted health plan participant data of plans that use the Blue Cross Blue Shield network of health providers. In some states, Anthem administers certain aspects of Blue Cross’s network. Those states include California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia, and Wisconsin. Accordingly, health plans that have participants who received care in those states through the Blue Cross network are likely to be impacted.

The breach included personal information including names, addresses, health care ID numbers, birth dates, e-mail addresses, and in some cases, Social Security numbers. Information that is considered protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act may also have been compromised.

Employers that sponsor self-insured plans and use Anthem or Blue Cross should carefully consider what steps they are required to take under HIPAA and various state data security breach notification laws. In some circumstances, HIPAA business associate agreements will allocate responsibilities for breach notification to Anthem and/or Blue Cross, but there are nevertheless steps that plan sponsors may need to take in light of the breach.