February 5, 2015

As you may have heard in the news by now, as many as 80 million subscribers to health insurance coverage provided by Anthem in as many as 14 states may have been the target of a cyber-attack that could have exposed important personal information, including names, birthdays, and personal identification information (including social security numbers). The good news from Anthem appears to be that no personal credit card or individual medical information has been disclosed. However, Anthem is still evaluating the extent of the damage, as well as undertaking further assessment of whether the attacks have any broader reach, including whether they extend to other Blue Cross and Blue Shield affiliated organizations (although not part of the same legal organization, Anthem is affiliated with other Blue Cross and Blue Shield Association members and often share information and resources internally).

Although it is too soon to know the full extent and ultimate outcome of this data disclosure announcement, there are steps we recommend that every employer or plan administrator consider taking to protect their employees. These steps for employers/plan administrators may, among others, include:

  • Working with your insurance advisors and consultants to determine if your health insurance plan is a plan that receives medical benefit coverage through Anthem or another Blue Cross and Blue Shield organization. If not, you are not subject to the current data breach investigation; 
  • If your group health plan is administered or provided through Anthem or another Blue Cross and Blue Shield organization, you and your advisors/consultants should be evaluating the potential impact to your employees. 
  • If your group health plan is self-insured, assessing the current status and impact of your HIPAA Privacy and Security Policies and Procedures, including your and Anthem’s obligations around any required notifications for unauthorized disclosures of protected health information (“PHI”). In that regard, you should also consider reviewing any Business Associate or other contracts you may have with Anthem. 
  • Considering whether to send a memo or other communication to your employees regarding the potential Anthem breach. Depending on your circumstances, you might indicate that you are currently monitoring the impact of this situation on their behalf. Also, you might suggest that employees gain direct information from Anthem at www.AnthemFacts.com or through calling 1-877-263-7995 if that information has not already been provided.

Please contact a member of the Employee Benefits and Executive Compensation team to further assess the current and future impact of this announcement on your organization to determine any specific course of action.