When insurance company Anthem announced a data breach on Feb. 5 affecting 80 million Americans, the largest data breach in the industry, employment health plans also flew into chaos.
Employers are technically responsible for many aspects of notification under the Employee Retirement Income Security Act, conferring more responsibility on them than they may be prepared for. BakerHostetler, a national law firm that focuses on litigation, business, employment, intellectual property and tax, hosted a webinar Feb. 10 to discuss the next steps employers should take to protect their businesses and their employees.
1. Check business associate agreements and internal data breach policies. The first step is to identify how Anthem is connected to the business. The health insurance plan networks are extensive, particularly through the Blue Cross Blue Shield network, so the business may have been affected based on where the company shared information, according to John J. McGowan, a partner with the benefit plans practice at BakerHostetler.
Companies that had direct agreements with Anthem should have been informed, but Mr. McGown advised checking all the documentation and communicating directly with a business' legal counsel about how the data breach may have affected them.
2. Notify those affected by the breach. The company has the duty to notify the individuals whose data are affected, HHS and prominent media outlets in breaches that involve more than 500 individuals, according to Jennifer A. Mills, a partner in BakerHostetler's benefit, health, and welfare Plans practice. In this case, Anthem seems to be taking charge of notifying everyone of the breach, likely because of the scale, she said.
However, employers should still take note of what is legally required of them in case Anthem did not reach the individuals affected. Companies have 60 days to inform affected individuals of a data breach, dating from the first day employers know about it or should reasonably have known about it. HIPAA requires notification by first-class mail, including information about the date of discovery, the date of the breach, a description of how it happened, the data elements exposed, how affected individuals can protect themselves and contact information for Anthem.
3. Be in constant communication with Anthem, company executives, business associates and employees. The best way to make sure everyone is informed is to communicate with them directly. Employers should be in communication with Anthem to work out the first details of the breach, including who will notify the affected individuals, whether the company would like to add input to the notification, information on what Anthem is doing to mediate the current situation and the payer might avoid future breaches, Ms. Mills said.
One additional danger is confusion among the employees about what data is compromised and what they can do about it. Scammers have been calling employees potentially affected in the days since the breach, trying to collect information, Ms. Mills said. If employees knew they would be notified about the details of the breach by mail, they would not give their information to a scammer over the phone thinking that it is a form of notification. Employers should develop a strategy for effectively communicating with employees, reassuring them that the company is monitoring updates and encouraging them to go to Anthem's website for updates rather than relying on media reports, according to M. Scott Koller, counsel in BakerHostetler's privacy and data protection practice. Employees should also monitor their own credit and should take the credit monitoring Anthem is offering as remediation, he said.
Employers should also be in close communication with their own executives and business associates, keeping track of updates and keeping pace with how other companies are handling the situation. Mr. McGowan said employers should communicate with all the business associates with whom they have an agreement and be advocates for their employees.
4. Plot a future course of action to avoid disasters in case of a data breach. For employers affected directly by the data breach, clearly outlining the terms of agreement with Anthem and the corrective action is paramount for moving forward without any liability. Lynn Sessions, a partner in BakerHostetler's privacy and data protection practice, noted that there are five ongoing class-action lawsuits over the Anthem data breach initiated not even a week after the breach was announced.
To protect themselves, employers should review their business associate agreements and ask about data encryption policies, he added. Anthem's data was unencrypted, which left it largely vulnerable. Employers should also keep detailed records of all decisions and considerations about procedures surrounding the breach from now going forward, documenting that they were aware of cybersecurity issues and addressing them if possible.
Ms. Sessions also advised setting up security safeguards to encrypt data within the company databases to more closely protect data.
Asked if employers are liable for choosing to contract with Anthem, Mr. McGowan said it was unlikely because the case was so novel and unexpected. However, that will likely not be the case in the future, he said.
"This anthem breach calls for a huge wakeup call," he said. "Now we know that this kind of stuff can happen and likely will happen in the future."