Health care data breaches are not new. The breach announced by health insurer Anthem on February 5, 2015 is notable mostly for its scope. According to Anthem’s statement, hackers utilized a very sophisticated cyber attack to gain access to the information of potentially 80 million current and former Anthem members. The information accessed included names, birthdays, medical IDs, Social Security numbers, addresses, email addresses, employment information and income data of current and former members, including Anthem employees. At the time of Anthem’s statement, there was no evidence that credit card or medical information, such as claims, test results or diagnostic codes, were targeted or compromised. The breach appears to be the largest cyber attack ever disclosed by a health care company.
Data breaches are complex and often are confusing for potentially affected individuals. As with any major event, there will be information published that is accurate and some that is inaccurate. It is important for all involved to operate based on accurate information. To aid in that effort, we offer the following information:
- It is widely accepted and reported that medical information is 10 to 20 times more valuable on the black market than credit card numbers. This makes health care organizations attractive targets for criminals seeking to profit from such information. Most health care organizations make reasonable efforts to prevent unauthorized access to identifiable information, but staying ahead of the hackers has proven to be a complicated task.
- Anthem is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); therefore, to the extent the identifiable information accessed by the hackers was provided to Anthem in its role as a health plan or as a third-party administrator of a health plan, it has obligations under HIPAA with respect to that information. HIPAA requires that written notice of a breach be provided to each affected individual and to the federal government. Because the breach involves more than 500 individuals, it will be subject to a mandatory investigation by the federal government. If the government investigation finds that Anthem did not have reasonable and appropriate safeguards in place or otherwise violated HIPAA, it may impose a civil monetary penalty.
- Many states have data breach laws that may also apply to Anthem based on where the affected individuals reside. The requirements of those state laws generally are similar to HIPAA but may require notification on a shorter time frame and to the state’s Attorney General or other agency. States where affected individuals reside are also likely to investigate the breach and may impose a financial penalty if it is found that Anthem did not have reasonable procedures in place to protect and safeguard the information.
- Individuals do not have the ability to sue for violations of HIPAA or most state data breach laws, but there have been several cases recently where individuals have sued health care organizations under common law theories of liability such as invasion of privacy or breach of fiduciary duty. In a breach the size of the Anthem breach, class action lawsuits based on one of these theories are likely to occur. In fact, it is our understanding that one was filed in Indiana on the same day that Anthem announced the breach.
- It is likely that the majority of individuals affected will not experience any identity theft or other adverse effects from the Anthem breach. In addition, if an individual does experience identity theft subsequent to this breach, it may be difficult in many cases to identify which breach was the source for the information that led to the identity theft given the number of large breaches recently in the retail sector and the various other means that criminals have to access information. This could also hinder individuals from establishing the damages needed for a successful lawsuit.
- Entities that suffer data breaches, including Anthem, typically offer to pay for credit monitoring services for all affected individuals, which can be an effective component of monitoring for unauthorized activity. The most effective action that any individual can take is to always be vigilant in monitoring activity on financial accounts and to notify your financial institutions immediately of any suspicious activities. Furthermore, whenever a breach involves a health care institution, individuals should closely monitor their Explanation of Benefit forms and any communications or information from their health care providers and insurers that may indicate that medical identity theft has occurred and report any suspicious activity to their health care provider or insurer.
Anthem has established a website, www.anthemfacts.com, to provide information about the breach. As well, current and former members can call (877) 263-7995 for additional information.