Why HR should care about the recent Anthem data breach

Posted by On Filed under HR Morning News

If a data breach can occur at Anthem, a company that provides health coverage to one in every nine Americans, it can happen to any medical insurer. And a number of experts believe it’s only a matter of time before it does.  

By now, most HR pros have heard something about the data breach at Anthem that made national news.

More than 80 million members

According to reports, as many as 80 million current and former members may have had their medical and personal info compromised.

This info includes names, medical identification and Social Security numbers and other employment info.

Unlike many data breach victims that tend to find out about the incident via a third party (bank, credit-card company, etc.), Anthem uncovered the cyber attack on its own. When the breach was discovered, the insurer notified anyone who was potentially impacted including policyholders, members and business partners.

In a statement, Anthem’s President and CEO Joseph R. Swedish commented on the severity of the breach by stating:

Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.

Almost half of all major breaches

Although Anthem’s breach was more publicized than other cyber attacks on health data, it’s hardly an isolated incident.

In fact, healthcare organizations accounted for 42% of all major data breaches in 2014, according to the Identity Theft Resource Center.

And industry experts believe this will only get worse.

In fact, a 2014 warning from the FBI’s Cyber Division claimed that healthcare systems are at increased risk of a breach due to a transition to electronic records, loose cybersecurity standards and a higher payout on the black market for stolen medical records (this data can fetch between $100-$300 per record, compared to just 10-25 cents per compromised credit-card file).

What’s required of employers?

In light of the Anthem breach, now may be a good time to talk to your insurer about the safeguards it has in place for its medical data — and review any contracts and documents.

It’s also a good time for a refresher on what your obligations are in the event your insurer’s data is compromised.

The folks at Oagletree Deakins remind employers that plan type will determine how to react to the breach. For example:

  • If your health plan is fully insured, your insurer is the covered entity responsible for investigating and taking appropriate mitigating measures as well as providing all required notices to those affected by the breach.
  • If your plan is self-insured, the responsibility ultimately falls on you, as the plan sponsor. But when you outsource the claims administration role, the TPA may have the contractual obligation to assess/respond to the breach. At the very least, TPAs have a notice obligation to the plan/employer and a responsibility to provide details surrounding the breach.



For more HR News, please visit: Why HR should care about the recent Anthem data breach

Source: News from HR Morning