With the news of the breach of security at Anthem health plans, many employers have been wondering whether their employees are affected and how they should respond. The breach extends to members in Anthem-affiliated plans and certain other individuals. The rights and responsibilities of employers in this situation will vary, depending on whether the plan is fully insured or self-funded.

According to reports from Anthem, the breach extends to certain information about employees and dependents covered by the following plans:

  • Anthem Blue Cross
  • Anthem Blue Cross and Blue Shield
  • Blue Cross and Blue Shield of Georgia
  • Empire Blue Cross and Blue Shield
  • Amerigroup
  • CareMore
  • Unicare
  • HealthLink
  • DeCare Dental

Information about other employees and dependents may also be subject to the breach. In particular, individuals who used their BlueCross/Blue Shield plan to cover medical care provided in states where Anthem processed the medical bills through the “BlueCard” program may be affected. The BlueCard program is a cooperative arrangement among Blues entities that allows a member in one Blue Cross/Blue Shield plan to obtain medical care at favorable rates from providers that participate in a different Blues plan’s network. For example, if an employee participates in an Independence Blue Cross Plan in Philadelphia, but has received medical care while visiting relatives in New York or Indiana, some information pertaining to that participant may have been compromised by the breach. It may also affect businesses that contract for a benefit program with one Blues entity (for example where the headquarters is located) that is designed to cover employees who live or work in other states. The identification and notification of these individuals may raise additional complications.

Anthem’s investigation of the breach is ongoing, but the information taken could put individuals at financial risk. The breach compromised personal information, including names, birthdays, addresses, employment information, member ID numbers, and—most significantly (although apparently not in every instance)—Social Security numbers. Anthem does not believe that medical claims information has been compromised.

Anthem is preparing to notify affected members within the next two weeks, with an offer of certain services, including free credit monitoring. In the meantime, Anthem has set up a website (www.AnthemFacts.com) and toll-free telephone number (1.877.263.7995) with basic information. Anthem members may speak with a representative. Employers and employees should be careful to use appropriate contact information for Anthem to avoid phishing and other schemes that may, for example, offer free credit monitoring.

Given the publicity surrounding this occurrence, employees may already have started asking questions. Employers should be prepared to respond to these questions and to direct individuals, as appropriate, to the applicable Anthem contact. For fully insured plans, Anthem will be responsible for addressing breaches under HIPAA. The sponsor of a self-funded plan administered by a Blues entity should examine the breach provisions of the relevant business associate agreement to assess its rights and responsibilities.

The Anthem breach may encourage states to take legislative action aimed to protect individuals through the encryption of data. Prior to the Anthem breach, New Jersey enacted encryption requirements for data maintained by health insurers that will take effect August 1.

We are following developments in the Anthem situation and would be glad to assist you with questions as they arise. If you have further questions, please contact Brian M. Pinheiro at 215.864.8511 or pinheiro@ballardspahr.com, Jean C. Hemphill at 215.864.8539 or hemphill@ballardspahr.com, David S. Fryman at 215.864.8105 or fryman@ballardspahr.com, Edward I. Leeds at 215.864.8419 or leeds@ballardspahr.com, Phillip N. Yannella at 215.864.8180 or yannellap@ballardspahr.com, or any member of the Employee Benefits and Executive Compensation Group with whom you work.

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Employee Benefits and Executive Compensation
Health Care
Labor and Employment
Privacy and Data Security