On February 4, Anthem reported that it experienced a very large attack on its information technology systems. Anthem is reporting that about 80 million individuals may be affected. The details of how it occurred are still unclear, but it appears to have been a sophisticated attack.
Many companies use Anthem as an insurer for their fully-insured health plan products. Others use Anthem as a third party administrator ("TPA") for their health plans. Below we discuss some implications for companies which use Anthem. Also, it seems possible that some companies may not have used Anthem directly, but instead used a different insurer, TPA or vendor. That other insurer, TPA or vendor may have "subcontracted" various services to Anthem. Thus, some companies may be affected even if they did not directly contract with Anthem.
Which Entities are Included Under the Anthem Umbrella? Anthem conducts business around the country under several names. For example, in Colorado and Nevada, it operates under "Rocky Mountain Hospital and Medical Service, Inc.". In Wisconsin, it operates as "Blue Cross Blue Shield of Wisconsin". A list of the Anthem entities can be found here.
Has Anthem Published Information Discussing the Breach? Yes. Anthem has sent out emails to affected clients. Anthem has also published a website describing certain information about the breach:www.anthemfacts.com.
Does the Breach Affect Only Anthem's Fully-Insured Business? Self-Funded Business? Both? The current, published Anthem guidance does not address this question. However, we understand from Anthem representatives that it affects both lines of business (fully-insured and self-funded).
What Type of Information was Breached? Anthem's initial determination is that names, date of birth, member health ID numbers / Social Security numbers, addresses, telephone numbers, email addresses and employment information (including, possibly, income data) was breached. Many companies probably did not provide income data to Anthem. Currently Anthem is reporting that no actual medical information (e.g., claims information or explanations of benefits) were breached. Also, Anthem reports that no credit or debit card information was gathered.
If No Claims Information was Breached, Does HIPAA Even Apply?HIPAA probably does apply, in general. Anthem has stated that member health ID numbers, including Social Security numbers, were breached. Under HIPAA, this information generally is "protected health information" ("PHI"). Anthem has also stated that it believes HIPAA applies, in general.
If PHI was involved (as seems likely) then the unauthorized gathering of the information most likely was a "breach" under HIPAA. Technically, a covered entity should analyze whether the PHI was "compromised" in order to determine if there was a "HIPAA breach". Whether it was "compromised" involves an analysis of four different factors. Some factors are likely to be known (such as the nature and extent of the PHI involved -- i.e., member ID numbers / Social Security numbers). Other factors may never be known -- e.g., the unauthorized person who gathered the PHI. Given the nature of the situation, most clients of Anthem will likely treat it as a "HIPAA breach" and follow HIPAA's reporting rules.
We Use Anthem as Our Insurer / TPA. If Anthem Reports the Breach, Must We Also Report Under HIPAA? It depends. If the health plan was fully-insured, we think most companies will rely on Anthem to report the breach to affected individuals, the media and the federal government.
If the health plan is self-funded, the plan can delegate responsibility to Anthem to report to individuals. The same is likely true for notifying the U.S. Department of Health and Human Services. It is not clear if the same is true for notifying the media. The health plan will also need to evaluate whether it will need to make an additional media report. We recommend discussing this issue with Anthem.
Do Other Laws Require an Employer to Report the Breach? Possibly. Forty-seven states have breach notification rules when certain sensitive information is breached. Social Security numbers often are considered sensitive and often trigger these reporting rules. Since the rules vary from state-to-state, an employer would need to consider the rules which are specific to it.
Will More Information be Released by Anthem? Probably. Clients of Anthem should keep in mind that this situation is still fluid. We expect further details to be released. Those additional details may change how an employer communicates with its employees and others.