On February 4, 2015, Anthem Inc. (“Anthem”) disclosed that it had been a victim of a sophisticated cyber-attack that compromised the personal health plan data of up to 80 million customers of not only Anthem but also a much broader group of insurers and third-party administrators for whom Anthem did back-office work (collectively, Anthem’s associates, and who are listed below).

Depth Of and Information Compromised in Breach

Breach Is Much Broader Than Anthem: Many employers and individuals have ignored publicity regarding the data breach because their health plan is not labeled “Anthem.” However, because Anthem did the back-office work for (and therefore had information on file for) many other insurers and third-party administrators, the data breach potentially affects their plans as well, including the following:

• Blue Cross Blue Shield (“BCBS”) affiliates in: Alabama, Arizona, Arkansas, Florida, Hawaii, Illinois, Kansas, Louisiana, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Mexico, North Carolina, North Dakota, Oklahoma, Rhode Island, South Carolina, Tennessee, Texas, Vermont, and Wyoming; and 
• Amerigroup, Caremore, Unicare, HealthLink, HealthKeepers, Golden West, DeCare, Blue Cross and Blue Shield Association’s BlueCard, Blue Cross of Idaho, Blue Shield of California, Capital Blue Cross, CareFirst BlueCross BlueShield, GeoBlue, HealthNow New York, Highmark Blue Cross Blue Shield, Horizon Blue Cross Blue Shield of New Jersey, Hospital Service Association of Northeastern Pennsylvania, Independence Blue Cross, La Cruz Azul, Lifetime Healthcare, Premera Blue Cross, Wellmark Blue Cross and Blue Shield, Regence BlueCross BlueShield (in Oregon and Utah), and Regence BlueShield (in Idaho and portions of Washington state).

Data Breached: Anthem warns that individuals’ names, dates of birth, social security numbers, health care identification numbers, street addresses, email addresses, employer information and income information may have been compromised. The compromised information relates to individuals (including employees, spouses and dependents) currently covered by Anthem and its associates or previously covered by them—going back as far as 2004. At this point, Anthem believes that no medical or payment information (e.g., credit card numbers) was compromised.

Responses To Breach

Anthem’s Response: In response to the breach, Anthem has:

• Notified the media and three dominant credit reporting organizations (Equifax, Experian and TransUnion) of the breach;
• Filed notifications with regulators in Alaska, California, Colorado, Connecticut, Florida, Georgia, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New York, North Carolina, Ohio, Puerto Rico, South Carolina, Vermont, and Virginia;
• Established a website (anthemfacts.com) to answer questions and provide updated information; and
• Offered to provide free identity repair services and credit monitoring to potentially affected individuals for up to two years.

In the upcoming weeks, Anthem intends to send notices to individual customers and associates with lists of affected individuals and the exact information compromised for each individual.

Employers’ Response: Thus far, most employers have been letting Anthem take the lead while closely monitoring the situation. Many employers have also notified active employees regarding the data breach, sent a link to AnthemFacts.com (some highlighting the offer of identity theft coverage), and/or provided supplemental information (e.g., FAQs) via email or intranet or bulletin board postings.

Employers’ Considerations

While they continue to monitor the information being released by Anthem, employers also need to consider what steps they need to take separately to minimize liability and fulfill their own responsibilities, including:

• Reviewing contracts with Anthem and/or its associates who provide(d) the health care coverage to determine who is responsible for satisfying notification requirements related to the data breach (and who bears the cost). Since the breach involves many associates and over 10 years of data, there may be multiple agreements to consider.
• Evaluating whether, as an employer and/or sponsor of an employee group health plan, they have any independent obligations under state or federal data breach laws to notify regulators, participants, former participants, the media, etc., or whether Anthem has fulfilled those requirements and/or regulators will accept Anthem’s notifications on behalf of them.
• Evaluating whether there is any duty (e.g., under data breach laws or ERISA) to ensure that former employees affected by the data breach receive notice, including potentially working with Anthem and/or third parties to try to obtain current contact information for these former employees.
• Considering whether, as the sponsor of the employee health care plan, there is a fiduciary obligation to, for example: (i) evaluate whether Anthem’s efforts are sufficient to protect the plan’s participants (current and past); (ii) consider whether the plan sponsor should continue to do business with Anthem and/or its associates; and (iii) determine whether it is necessary to inquire with other service providers regarding their electronic safeguards.