It’s being called “a very sophisticated external cyber-attack.” With the theft of 80 million of its customers’ and employees’ records, Anthem Health Insurance has suffered one of—if not the—largest data breach in our nation’s history. Reports suggest the cost of the attack may exceed $100 million.
After sophisticated hackers broke into the company’s database, likely by using a stolen password, they stole the personal information—including names, dates of birth, physical and email addresses, medical IDs and Social Security numbers—of its clients as well as its current and former employees.
In addition to the individuals who have been affected, a multitude of organizations have been as well. That’s because many companies use Anthem as an insurer for their fully-insured health plan products. Others use it as a third-party administrator (TPA) for their self-insured health plans. Additionally, it may be possible that some companies may not have used Anthem directly, but instead used a different insurer, TPA or vendor. That other insurer, TPA or vendor may have “subcontracted” various services to Anthem. These companies may be affected even if they did not directly contract with Anthem.
For all of these companies, there are several implications to consider. The following Q&A may help shed light on whether you or your company may be affected by this breach.
Which entities are included under the Anthem umbrella?
Anthem conducts business around the country under several names. For example, in Colorado and Nevada, it operates under “Rocky Mountain Hospital and Medical Service, Inc.” In Wisconsin, it operates as “Blue Cross Blue Shield of Wisconsin.” Check out this list of Anthem’s entities.
Has Anthem published information discussing the breach?
Yes. Anthem has sent out emails to affected clients. It also has published a website describing certain information about the breach.
Does the breach affect only Anthem’s fully-insured business? Self-funded business? Both?
The current, published Anthem guidance does not address this question. However, we understand from Anthem representatives that it affects both lines of business (fully-insured and self-funded).
What type of information was breached?
Anthem’s initial determination is that the hackers obtained names, date of birth, member health ID numbers/Social Security numbers, addresses, telephone numbers, email addresses and employment information, including, possibly, income data. Many companies probably did not provide income data to Anthem.
Currently, Anthem is reporting that no actual medical information (e.g., claims information or explanations of benefits) were breached. Also, Anthem reports that no credit or debit card information was gathered.
If no claims information was breached, does HIPAA even apply?
HIPAA probably does apply, in general. Anthem has stated that member health ID numbers, including Social Security numbers, were breached. Under HIPAA, this information generally is “protected health information” (PHI). Anthem has also stated that it believes HIPAA applies, in general.
If PHI was involved (as seems likely) then the unauthorized gathering of the information most likely was a “breach” under HIPAA. Technically, a covered entity should analyze whether the PHI was “compromised” in order to determine if there was a HIPAA breach. Whether it was compromised involves an analysis of four different factors. Some factors are likely to be known such as the nature and extent of the PHI involved—member ID numbers and Social Security numbers. Other factors may never be known, such as the unauthorized person who gathered the PHI. Given the nature of the situation, most clients of Anthem will likely treat it as a HIPAA breach and follow HIPAA’s reporting rules.
We use Anthem as our insurer/TPA. If Anthem reports the breach, must we also report under HIPAA?
It depends. If the health plan was fully insured, we think most companies will rely on Anthem to report the breach to affected individuals, the media and the federal government.
If the health plan is self-funded, the plan can delegate responsibility to Anthem to report to individuals. The same is likely true for notifying the U.S. Department of Health and Human Services. It is not clear if the same is true for notifying the media. The health plan will also need to evaluate whether it must make an additional media report. We recommend discussing this issue with Anthem.
Do other laws require an employer to report the breach?
Possibly. Forty-seven states have breach notification rules when certain sensitive information is breached. Social Security numbers often are considered sensitive and often trigger these reporting rules. Since the rules vary from state-to-state, an employer would need to consider the rules that are specific to it.
Will Anthem release more information?
Probably. Clients of Anthem should keep in mind that this situation is still fluid. We expect further details to be released. Those additional details may change how an employer communicates with its employees and others.