September 15, 2019

September 13, 2019

Subscribe to Latest Legal News and Analysis

September 12, 2019

Subscribe to Latest Legal News and Analysis

Responding to the Anthem Cyber Attack

Anthem Inc. (Anthem), the nation's second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies. Anthem has reported that the exposed information includes member names, member health ID and Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information. The investigation of the massive data breach is ongoing, and media outlets have reported that class action suits have already been filed against Anthem in California and Alabama, claiming that lax Anthem security measures contributed to this incident.

Employers, multiemployer health plans, and others responsible for employee health benefit programs should take note that the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws may hold them responsible for ensuring that certain notifications are made related to the incident. The nature of these obligations will depend on whether the benefits offered through Anthem are provided under an insurance policy, and so are considered to be "fully insured," or whether the Anthem benefits are provided under a "self-insured" arrangement, where Anthem does not insure the benefits, but instead administers the benefits. The most significant legal obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will apply to Anthem benefits that are self-insured.

Where notifications must be made, the notifications may be due to former and present employees and their dependents, government agencies, and the media.  Where HIPAA applies, the notifications will need to be made "without unreasonable delay" and in any event no later than 60 days after the employer or other responsible party becomes aware that the breach has affected its own health plan participants. Where state data breach laws apply, notifications generally must be made in the most expedient time possible and without unreasonable delay, subject to certain permitted delays. Some state laws impose outside timeframes as short as 30 days. Under the state laws, reporting obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will generally turn on whether they, or Anthem, "own" the breached data. Since the state laws apply to breaches of data of their residents, regardless of the states in which the compromised entities and data owners are located, and since former employees and dependents could reside anywhere, a comprehensive state law analysis is required to determine the legal requirements arising from this data breach. Fortunately, depending on the circumstances, some (but not all) state data breach notification laws defer to HIPAA breach notification procedures, and do not require additional action where HIPAA applies and is followed.

As potentially affected parties wait for confirmation from Anthem as to whether any of their employees, former employees or their covered dependents has had their data compromised, we recommend that affected parties work with their legal counsel to determine what their responsibilities, if any, might be to respond to this incident. Among other things, for self-insured arrangements, HIPAA business associate agreements and other contracts with Anthem should be reviewed to assess how data breaches are addressed, whether data ownership has been addressed by contract, and whether indemnification provisions may apply. Consideration should also be given to promptly reaching out to Anthem to clarify the extent to which Anthem will be addressing notification responsibilities. Once parties are in a position to make required notifications, we also recommend that companies consult with legal counsel to review the notifications and the distribution plans for those notifications to assure that applicable legal requirements have been satisfied.

© 2019 Proskauer Rose LLP.

TRENDING LEGAL ANALYSIS


About this Author

Roger A. Cohen, Health Law Attorney, Proskauer Law Firm
Associate

Roger Cohen is a senior Associate in the Health Care Department. His practice focuses on representing health care and life science clients, including academic medical centers, hospitals, physician organizations, health information technology and medical device companies, private equity firms, and other financial institutions in a wide array of health care regulatory matters.

Law360 recognized Roger as a 2014 “Rising Star,” naming him as one of the top health care lawyers in the country under age 40. Similarly, SuperLawyers named Roger a New York Metro Rising Star...

212-969-3114
Paul Hamburger Employee Benefits Law Attorney Proskauer Rose Law Firm
Partner

Paul M. Hamburger is co-chair of the Employee Benefits & Executive Compensation Group and head of the Washington, DC office. Paul is also a leader of the Practice Center’s health and welfare subgroup and a member of Proskauer’s Health Care Reform Task Force.

Paul provides technical knowledge and advice to employers on all aspects of their employee benefit programs, and advises employee benefit plan trustees and service providers on ERISA and employee benefit plan-related matters. He has extensive experience in negotiating service provider and outsourcing agreements. Paul frequently represents clients before government regulatory agencies, including the Internal Revenue Service, Department of Labor and Pension Benefit Guaranty Corporation.

Paul focuses on all matters affecting employee benefit plans, including:

  • 401(k) plans, ESOPs, and defined benefit plans, including cash balance pension plans
  • Executive compensation plans and agreements
  • Welfare benefit plans, including cafeteria plan, COBRA, and health care reform (PPACA) issues

Recognized by a number of publications for his exceptional work, Paul is described by The Legal 500 United States as "one of the best in his field; he inspires a high level of confidence and is a pleasure to work with." Chambers USA notes that Paul’s clients refer to him as "a creative, business-oriented and brilliant lawyer who educates and enlightens." 

As a noted thought leader in his field, Paul frequently speaks on employee benefit matters. In addition, he served for several years as an adjunct professor at Georgetown University Law Center teaching the LL.M. tax course on ERISA Health and Welfare Benefit Plans.

An author of numerous articles on employee benefits matters, Paul has produced a number of nationally-circulated loose leaf publications, published by Thompson Information Services: Mandated Health Benefits – The COBRA Guide, The Guide to Assigning & Loaning Benefit Plan Money, and The Pension Plan Fix-It Handbook

202.416.5850
Kristen J Mathews, Privacy, Data Security Attorney, Proskauer, Law Firm
Partner

Kristen J. Mathews is head of the Privacy & Data Security Group and a member of the Technology, Media & Communications Group.

Kristen focuses her practice on technology, e-commerce and media-related transactions and advice, with concentrations in the areas of data privacy, data security, direct marketing and online advertising. She regularly advises clients on a wide range of matters, including privacy and data security compliance, customer authentication, responding to data security breach incidents, preparing privacy and data security policies, data profiling, behavioral...

212-969-3265
Ellen H Moskowitz, Health Care, Proskauer Law Firm
Senior Counsel

Ellen Moskowitz is a Senior Counsel in the Health Care Department. She provides a broad range of regulatory, corporate and transactional services to the health industry, social services clients and charitable organizations, such as academic medical centers, health clinics, health plans, pharmaceutical companies and not-for-profit organizations. 

212-969-3232
Richard J Zall, Proskauer Law Firm, Health Care Attorney
Partner

Richard Zall is Chair of the Health Care Department. His practice is focused on corporate and regulatory representation of a wide array of health care and life science clients, including academic medical centers, hospitals, physician organizations, information technology and medical device companies, managed care and health benefit management companies, and private equity firms.

212-969-3945