Unfortunately, account hacks and data breaches are nothing new. Every day, we hear reports of hackers compromising networks and their protected data. When it happens on a massive scale to a powerful player in the health insurance industry, however, all health care entities should sit up and take note. On February 4, 2015, Anthem Inc. (“Anthem”), the second largest health insurance company in America, admitted that hackers compromised the company’s network and stole the information of up to 80 million customers. This may be the largest health-related data breach in history.
Anthem claims that member data such as names, birthdays, social security numbers, and addresses were stolen. Because the breach of medical information triggers specific provisions of the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), it is prudent following such an incident for professionals in the health care industry to review HIPAA’s security and notification requirements. A case study of HIPAA’s application to Anthem may prove useful in such a review. First, as a health insurer, Anthem is considered a ‘covered entity’ pursuant to HIPAA and as such must comply with certain privacy rules when dealing with the protected health information of its members. Protected health information (“PHI”) is information that relates to an individual’s past, present or future health or condition; the provision of health care to the individual; or any payment for provision of health care to the individual. This information either identifies the individual or provides a reasonable basis to belief that it can be used to identify the individual. Covered entities are required to implement certain technical safeguards to protect PHI as prescribed by HIPAA, which provides standards for access and audit controls, the integrity and authentication of data, and transmission security. Any improper use or disclosure of PHI is presumed to be a data breach unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised based on an internal risk assessment.
If any of the data stolen in its recent breach qualifies as PHI, Anthem is required to provide written notice of the breach to individuals whose data may have been affected via first-class mail, or e-mail if the individual has agreed to receive notices electronically. If Anthem’s contact information for at least ten of its members is out-of-date, notice must also be posted on its webpage for ninety (90) days or published in major print or broadcast media where the affected individuals reside. If more than 500 residents of a state or jurisdiction are affected, notice must be provided to major media outlets in the area (usually through a press release). Such notice must be provided without reasonable delay (no later than sixty (60) days after discovery of the breach) and must include a description of the breach, the PHI involved, how members may protect themselves from harm resulting from the breach, and steps that Anthem is taking to investigate the breach and prevent future incidents. In addition, Anthem must give notice to the U.S. Secretary for Health and Human Services.