February 10, 2015
As a follow-up to its announcement of a massive cyber breach last week (see our previous alert attached here), Anthem has updated its “Frequently Asked Questions” for its employer clients, which are posted at anthemfacts.com. The most significant development in Anthem’s latest FAQs is the confirmation that individuals outside of Anthem’s 14-state coverage area may also be impacted if they sought medical services through the affiliated Blue Cross and Blue Shield plans via the “BlueCard” network. The BlueCard network links thousands of participating health care providers with the independent Blue Cross and Blue Shield (“BCBS”) plans across the country and in more than 200 countries and territories worldwide.

The good news still appears to be that despite confirmation that the BlueCard network was impacted, Anthem has not identified, to date, any potential breach of protected health information (also known as “PHI”) or credit card data. As such, we remain in a “wait and see” approach to determine whether there was any violation of the data privacy rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In the meantime, we continue to recommend that employers and other plan administrators undertake the following steps to ensure they have satisfied their fiduciary responsibilities in reviewing and evaluating the potential impact of the Anthem data breach on their group health plans:
  • Continue to work with your insurance advisors and consultants to determine if your health insurance plan is a plan that receives medical benefit coverage through Anthem or another BCBS organization, including usage of the BlueCard network. If so, you should evaluate the potential impact of the data breach to your employees, and monitor the steps being taken to further mitigate the risk of future data breaches as well;
  • If applicable, review your HIPAA Privacy and Security Policies and Procedures to ensure they have been fully updated to reflect all legal mandates up through the most recent final rules promulgated in 2013, including those related to required breach notification procedures. You should also work with your consultants and legal advisors to evaluate if there has been any unauthorized disclosure of unsecured PHI that requires any further action, including possible notification requirements within the allowable time frames under HIPAA;
  • Review any business associate agreements or other contracts you may have with Anthem or any other BCBS organizations that provide services to your group health plan to determine if any other breach notification obligations exist with any relevant service providers;
  • Even if currently with another insurance company or other provider other than Anthem or a BCBS entity (e.g., Aetna, Cigna, Humana, United Healthcare, etc.), ask your carrier or other insurance provider what protocols or processes they have in place to mitigate the possibility of a similar cyber-threat occurring in the future;
  • Continue to update your employees with emails or other communications to advise them of the current status of the Anthem breach, and direct them to the updated FAQ’s on the AnthemFacts.com website, or have them call 1-877-263-7995 to remain informed of any further developments;
  • Remind your employees of the risk of receiving unauthorized “phishing” e-mails from scammers who may claim to be with an insurance company or other insurance provider:
  • Remind them not to “click” through any links received in an email for any reason.
  • Clarify that Anthem will likely send detailed correspondence of the errors that occurred, as well as important steps for them to take once Anthem has completed its investigation; and
  • Work with your advisors and legal counsel to determine whether any other actions should be taken under applicable state law regarding the known breaches (including names, dates of birth, member ID/social security numbers, addresses, phone numbers, e-mail addresses and employment information).
Please contact a member of the Employee Benefits and Executive Compensation team to further assess the impact of this updated information and determine any required course of action.