Organizations whose employees are insured by Anthem or whose self-insured health plans are administered by Anthem should consider steps to mitigate the cybersecurity and legal risk arising from the breach recently reported by Anthem.
The hackers who perpetrated the Anthem breach are likely to use the personal information they took for further cyberattacks against affected individuals and employers, including to gain access to business information using social engineering attacks and other methods. Anthem’s business customers are advised to take immediate steps to harden their cybersecurity defenses, raise cybersecurity awareness among employees concerning likely secondary attacks, and remain vigilant against further attacks.
Further, organizations for which Anthem is a business associate (under HIPAA) or a service provider (under State breach notification laws) for their health plans may have a direct obligation to notify employees whose personal information was affected by the Anthem incident and regulators. The existence of those obligations will depend on the details of the relationship between Anthem and the organization.
POTENTIAL CONSEQUENCES FOR ANTHEM’S CUSTOMERS
According to news reports Anthem Inc., the country’s second-biggest health insurer, suffered a data incident that appears to have affected the personal information of 80 million individuals. Anthem’s investigation is ongoing, but it has released preliminary FAQs concerning the incident. The database taken from Anthem includes names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, email addresses and employment information. However, Anthem has indicated that no diagnosis or treatment data was exposed. Anthem plans to notify affected individuals in the coming weeks.
Potential Legal Notification Obligations for Anthem’s Customers
An immediate consequence of the incident is that it may trigger breach notification obligations for some organizations that make health insurance accessible through Anthem. Under HIPAA, corporate health plans are typically considered “covered entities” subject to HIPAA with respect to protected health information (“PHI”) of their employees. Corporate health plans may also be considered “data owners” under breach notification laws currently on the books in 47 states. Entities that store or process personal information or PHI on behalf of covered entities/data owners are “business associates” (under HIPAA) or service providers under State breach laws. Under HIPAA and State breach laws, if a business associate or service provider suffers a breach affecting the personal information or PHI, it is obligated to notify the covered entity/data owner, and the covered entity/data owner – which may be the employer – is then obligated to notify the affected individuals.
Potential Risk of Secondary Cyberattacks
Further, according to initial expert analysis, the incident is likely a “dual-purpose” event, where the key goal of the hackers is to identify individuals and companies as targets for industrial espionage. These secondary attacks, if successful, may raise further notification obligations for companies, including obligations under the SEC requirements for public companies. Anthem’s customers in defense, high tech, pharma, and critical infrastructure industries are advised to take robust steps to prepare for attempts to breach their cybersecurity defenses using the stolen personal information.
Organizations utilizing Anthem to provide or support their employee health insurance plans should consider the following action steps:
- Determine the nature and details of the organization’s relationship with Anthem;
- Determine whether the organization’s employees or their family members were affected by the Anthem breach (this will likely require communications with Anthem);
- Review the organization’s agreements, including BAAs, with Anthem to determine responsibilities and liability in the event of a breach;
- Understand applicable HIPAA requirements and State breach notification laws;
- Raise awareness of organization’s employees to identity theft and secondary cyberattacks;
- Take steps to harden the organization’s cybersecurity defenses (e.g., by verifying administrative, technical and physical information security safeguards in place, conducting dry runs and tabletops to confirm cyberattack response readiness);
- Take steps to identify the organization’s vendors – aside from Anthem – that access employees’ sensitive personal information; review relevant agreements and verify that vendors have appropriate safeguards in place for the information.
Norton Rose Fulbright’s global Data Protection, Privacy and Access to Information team will continue to monitor this situation and will provide additional information as appropriate.