With the news of the breach of security at Anthem health plans, many employers have been wondering whether their employees are affected and how they should respond. The breach extends to members in Anthem-affiliated plans and certain other individuals. The rights and responsibilities of employers in this situation will vary, depending on whether the plan is fully insured or self-funded.

According to reports from Anthem, the breach extends to certain information about employees and dependents covered by the following plans:

• Anthem Blue Cross
• Anthem Blue Cross and Blue Shield
• Blue Cross and Blue Shield of Georgia
• Empire Blue Cross and Blue Shield
• Amerigroup
• CareMore
• Unicare
• HealthLink
• DeCare Dental

Information about other employees and dependents may also be subject to the breach. In particular, individuals who used their BlueCross/Blue Shield plan to cover medical care provided in states where Anthem processed the medical bills through the “BlueCard” program may be affected. The BlueCard program is a cooperative arrangement among Blues entities that allows a member in one Blue Cross/Blue Shield plan to obtain medical care at favorable rates from providers that participate in a different Blues plan’s network. For example, if an employee participates in an Independence Blue Cross Plan in Philadelphia, but has received medical care while visiting relatives in New York or Indiana, some information pertaining to that participant may have been compromised by the breach. It may also affect businesses that contract for a benefit program with one Blues entity (for example where the headquarters is located) that is designed to cover employees who live or work in other states. The identification and notification of these individuals may raise additional complications.

Anthem’s investigation of the breach is ongoing, but the information taken could put individuals at financial risk. The breach compromised personal information, including names, birthdays, addresses, employment information, member ID numbers, and—most significantly (although apparently not in every instance)—Social Security numbers. Anthem does not believe that medical claims information has been compromised.

Anthem is preparing to notify affected members within the next two weeks, with an offer of certain services, including free credit monitoring. In the meantime, Anthem has set up a website (www.AnthemFacts.com) and toll-free telephone number (1.877.263.7995) with basic information. Anthem members may speak with a representative. Employers and employees should be careful to use appropriate contact information for Anthem to avoid phishing and other schemes that may, for example, offer free credit monitoring.

Given the publicity surrounding this occurrence, employees may already have started asking questions. Employers should be prepared to respond to these questions and to direct individuals, as appropriate, to the applicable Anthem contact. For fully insured plans, Anthem will be responsible for addressing breaches under HIPAA. The sponsor of a self-funded plan administered by a Blues entity should examine the breach provisions of the relevant business associate agreement to assess its rights and responsibilities.

The Anthem breach may encourage states to take legislative action aimed to protect individuals through the encryption of data. Prior to the Anthem breach, New Jersey enacted encryption requirements for data maintained by health insurers that will take effect August 1.