February 19, 2015

Frequently Asked Questions from Health Plan Sponsors about the Anthem Data Breach

As has been widely reported, health insurance company Anthem, Inc. (Anthem) was recently the target of a cyber attack that resulted in a large breach of private account information affecting up to 80 million individuals. The member data accessed was reported to include names, dates of birth, Social Security numbers, addresses, phone numbers, e-mail addresses and employment information. Anthem has created a website with more information about the breach and how the health insurer is responding to it. To further assist those who may have been affected by the Anthem breach, Segal Select Insurance Services has provided answers to some frequently asked questions from health plan sponsors.

Note: You should consult with your legal counsel regarding your plan’s responsibilities in connection with the Anthem breach. Segal Select does not practice law and cannot provide legal advice.

How do I know if my plan has been affected by the data breach at Anthem?

The first step is to determine whether your plan has any relationship with Anthem and then determining whether Anthem may be storing or using personally identifiable information (PII) or protected health information (PHI) on behalf of the plan.

My plan does have a relationship with Anthem involving private data. What should I do?

If you do have a relationship with Anthem involving such private data, regardless of the specific details, your next step should be to discuss the matter with legal counsel to determine if your plan should notify its cyber liability and fiduciary liability insurance carriers of the Anthem data breach as a claim or potential claim under your policy.

Can my plan be held liable for the Anthem data breach?

There is uncertainty about whether any liability for this breach could be assigned to your health plan. Nonetheless, notifying your fiduciary insurance carrier  should help preserve a plan’s contractual right to coverage if an individual ever seeks damages alleging that a plan violated its fiduciary obligations in working with Anthem.

Can my plan purchase insurance that will retroactively cover the Anthem breach?

No. Retroactive insurance is generally not available in this type of situation. However, full or limited prior acts coverage is generally available for unknown events subject to a warranty of no known claims or circumstances and/or specific exclusion for any previous incidents, such as the Anthem breach.

Should I provide my affected participants with credit monitoring and repair services and/or identity theft insurance?

It does not appear that plans need to purchase these services for affected participants. Anthem says on its web page on the topic that it will offer 24 months of identity theft repair and credit monitoring services to current or former members of an affected Anthem plan dating back to 2004. Credit monitoring and repair services alert consumers about questionable transactions and other activity that may affect their credit score, as well as provide funding to help identity-theft victims reestablish their credit record. Most cyber liability insurance policies provide credit monitoring to individuals affected by a data breach. Please note: Anthem has stated that it will not reimburse a plan for credit monitoring and repair services that  may have been independently purchased.

Anthem also says that, at no cost, you may enroll at any time during the 24-month coverage period in a service that offers additional layers of protection including credit monitoring and an identity theft insurance policy. Identity theft insurance provides coverage for participants’ financial losses due to unauthorized electronic fund transfers, among other protections. Some cyber liability insurance policies may include identity theft insurance and others may not, depending on the terms offered by the carrier.

Where can I find more information about dealing with the Anthem breach?

If you have questions, please contact Segal Select experts Mark A. Dobrow at 312.984.8660 or Matt Jackson at 212.251.5387.

Plans should always rely on legal counsel for authoritative advice on all issues involving the interpretation or application of laws and regulations. Segal Select does not practice and cannot provide legal advice.

Share this page


Contact an Expert

Brian Smith

Brian Smith

Retired Chief Operating Officer, Segal Select Insurance Services, Inc