A health insurance company announced today that it has been the victim of a sophisticated cyber-attack and data breach of information of current and former covered persons. Names, addresses, Social Security numbers and other personal data were accessed.

This breach is a reminder for employer health plan sponsors and fiduciaries – regardless of what company provides insurance, claims management or recordkeeping services – to know their duties under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). They should review their health insurance contracts, HIPAA privacy and security policies, business associate agreements and administrative services agreements to understand the required reporting obligations, indemnity provisions and other issues that come into play if a data breach occurs.