What Employers Should Do About the Anthem Privacy Breach

On January 29, 2015, Anthem, Inc. discovered a cyber-attack that may affect members in all lines of Anthem?ÇÖs business and the BlueCard program, in which a number of independent Blue Cross and Blue Shield plans participate, such as BlueCross BlueShield of Texas. Anthem?ÇÖs investigation to date indicates that members?ÇÖ names, dates of birth, ID numbers, social security numbers, addresses, phone numbers, email addresses, and employment information was accessed. Employers who believe their employees may have been affected should consider alerting them that calls or emails purporting to be from Anthem are scams. Anthem has stated that affected individuals will receive information from Anthem via mail. Employees can also be directed to Anthem?ÇÖs toll-free hotline (877) 263-7995 and to?áwww.anthemfacts.com?áfor answers to frequently asked questions as well as for information regarding credit monitoring and identity theft protection services provided by Anthem. There have been reports that HHS wants Anthem to handle the breach notification requirements under HIPAA. Employers that have self-funded plans are advised to review their HIPAA business associate agreements and to contact Anthem if they have not delegated breach notification responsibilities to Anthem. Employers should also consider documenting the incident in accordance with their own HIPAA policies and procedures, in addition to ensuring that any state notification requirements have been satisfied by Anthem.