By now you’ve surely read about the massive cyber breach at the second-largest health insurer in the country, Anthem Inc.
Hackers breached the insurer’s database with information on its 40 million customers and employees in the US. It’s still not clear just how much information the hackers got their hands on and if that data includes personally identifiable information that could be used for identity theft.
The hack illustrates not only the escalating threat of cyber attacks on the health care community, but also raises questions of employer liability if a company has purchased its group health policy from an insurer that is hacked.
Security experts say cyber criminals are increasingly targeting the health care industry. They say that many of these companies are easy pickings because they are using aging computer systems that don’t include the latest security features.
Anthem is not the first to be hit. Community Health Systems Inc. last year said Chinese hackers had broken into its computer network and stolen information on 4.5 million patients.
According to the Ponemon Institute, the percentage of health care organizations that have reported a criminal attack rose to 40% in 2013 from 20% in 2009.
The information that the hackers breached in Anthem’s case included current and former customers and employees.
What’s an employer to do?
Whether an employer using Anthem as an insurer has a notice-of-breach obligation to its affected employees depends on a few factors.
The obligation to provide notice of a breach of “personally identifiable information,” (names, Social Security numbers, addresses and more) and “protected health information” – such as certain enrollment information and individually identifiable health information related to past, present or future medical care – is governed by both federal and state laws.
Because it holds troves of information on its enrollees, Anthem is primarily responsible for specific notification obligations and it has announced that it will inform affected individuals by e-mail or letter, or both.
Whether an employer using Anthem as an insurer has a notice obligation to its affected employees depends on a variety of factors.
The federal Health Insurance Portability and Accountability Act (HIPAA) imposes specific notice and disclosure obligations on health plans in the wake of a breach of protected health information.
In cases where Anthem is acting as an insurer, and the employer does not maintain or transmit protected health information, the notice and disclosure obligation is Anthem’s. Anthem’s notice efforts now underway appear to reflect the company’s understanding that it has the obligation.
If a health plan is fully insured by Anthem, the employer may not actually acquire, maintain or transmit the plan’s protected health information.
Generally, it is the insurer’s responsibility to notify affected individuals. That said, health plans and their business associates may agree upon who will actually supply the notice.
The federal Department of Health and Human Services, which oversees federal enforcement of HIPAA, encourages plans and their business associates to consider which of the two is in the best position to provide notice to affected individuals.
Financial consequences for employers
Cyber-security experts say the cost of responding to a breach of this magnitude can range from $100 to $230 per affected individual. In the case of Anthem’s breach, based on statements by the insurer, it will bear the costs of notification.
If an employer does incur costs from a breach, it may or may not be reimbursed by insurance.
Direct costs, such as notification, legal, public relations, call center, or credit/identity monitoring cost, would likely be covered if the employer has a cyber-liability insurance policy, especially if it is determined that the employer is legally obligated to respond to the breach.
If a lawsuit or other claim is filed against the employer for damages related to the Anthem breach, the privacy liability insuring agreement in the employer’s cyber policy may provide coverage for defense costs and damages associated with the claim.
Other policies, such as directors and officers and general liability coverage, may also provide some cover. But that would be determined by the policy language and any exclusions the policy has.
If you ever do experience a claim in this regard, you should contact us to help you determine which policy could be tapped for coverage.