On February 15, 2015, Anthem, the nation’s second largest health insurer, announced that they were victim to a massive cyber-attack.
Hackers were able to gain unauthorized access to the company’s IT systems, retrieving up to 80 million individuals’ personal information. According to Anthem chief executive officer (CEO) and president Joseph Swedish, hackers obtained information including names, birthdays, medical IDs, social security numbers, street addresses, email addresses and employment information, including income data.
The healthcare industry has become a prime target for cyber hackers who now have the ability to steal the identity of tens of millions Americans.
Companies looking to respond to the breach have found that 47 states have privacy breach laws, and the federal government adds another layer depending on what type of data is breached.
“Many in the legal and political community despair over how convoluted privacy breach laws have become,” said Christopher Keegan, the practice leader for cyber risk at Beecher Carlson, a large account risk management and insurance broker. “The Anthem situation provides a great example of how difficult it is for the average company to plan its obligations after a vendor has been compromised.”
Anthem has said that hackers were unable to target and access medical information such as test results, claims, and diagnostic codes.
Employer notification obligations depend upon the type of information breached, whether the health plan is fully insured or self-funded, and whether Anthem has a contractual obligation to provide required notices. Employers may unknowingly fail to provide adequate breach notification because they believe breached e-mail address and home address information is not in fact protected healthcare information (PHI).
“Many employers maintain the mistaken belief that HIPAA PHI only encompasses medical, dental, or vision care information,” Keegan stressed. “However, PHI also encompasses how the care is paid for and how care is provided. Information such as home address and e-mail address constitute PHI even if it's not as sensitive as diagnosis or treatment information.”
State rules can apply in addition to the HIPAA rules and they can be inconsistent regarding who owns the data.
“Many businesses are not aware what healthcare services constitute PHI, but may be required to notify individuals pursuant to state breach notification laws,” Keegan said. “One piece of good news is that despite the legal responsibilities, cyber insurance has evolved to cover liabilities and obligations when a vendor is the target of a hack despite the legal confusion – which was not always the case.”
As hackers become more disciplined, organized and sophisticated in their tools and attacks, firms should assess their cyber security and liability insurance coverage, he added.
“Companies can access experienced breach response teams and roadmaps to meet, assess and resolve a cyberattack head-on,” he said. “Cyber insurance can provide a financial backstop as companies work through their legal obligations with the comfort that it will respond, regardless of whether the breach occurred at a vendor’s site or what the final legal outcome may be.”
Insurance, IT and Data Security, Risk Management, US, Joseph Swedish, Anthem, Christopher Keegan, Beecher Carlson