On February 4, 2015, Anthem Inc. (“Anthem”) announced a data breach involving the personal information of up to 80 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. According to Anthem, the information involved in the data breach included: names; dates of birth; social security numbers; health care identification numbers; home addresses; email addresses; and work information such as income data. Anthem originally maintained that the breach did not implicate the Health Insurance Portability and Accountability Act (“HIPAA”) and its corresponding breach notification obligations because medical information was not compromised. However, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has publicly stated that the kind of personal data stolen by the Anthem hackers is covered by HIPAA, even if it does not include medical information. This can be seen as consistent with an earlier enforcement action involving a large national pharmacy chain in which OCR took the position that a health insurance card meets the definition of protected health information, and must be safeguarded. Like the disclosure of a health insurance card, the current incident involves identifying information and a link to Anthem, which relates to payment for health care services. The government therefore could conclude that this information qualifies as protected health information under HIPAA without the addition of other personal medical information.
Beyond HIPAA, 47 states, plus the District of Columbia and two U.S. territories, require notification if there is a breach of certain personal information, including social security numbers.
Anthem announced on February 13, 2015 that it would take responsibility for notification requirements under these laws and notify potentially affected former and current members by mail with the first round of notifications sent out February 18, 2015. In addition Anthem is providing free credit monitoring and identity repair services for 24 months to all those potentially affected.
Companies should be aware of steps they can take to avoid becoming the next Anthem. As we discussed in a recent client alert, proactive HIPAA compliance efforts can ensure that your organization is able to mitigate the risk of future losses due to HIPAA violations and breaches.