On March 17, 2015, Premera announced a data breach involving the personal information of more than 11 million individuals resulting from what it characterized as a sophisticated, targeted cyber-attack. Employers and plan sponsors should take steps to verify how the Premera breach affects their plans and that notifications are being appropriately provided to consumers, attorneys general, and regulators, in compliance with HIPAA and state law. The Premera breach appears at the moment to be separate and distinct from the Anthem breach that was announced in February. It remains to be seen whether they are related.
According to Premera, breached records dated from 2002 to 2015 for individuals whose health benefits were insured or served by Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Individuals who do business with Premera, as well as Premera employees, also are likely to have been affected.
The information that may have been accessed ranges from names and general contact information to more sensitive information, such as Social Security numbers, member identification numbers, medical claims information, and bank account information, but does not include credit card information for members. Premera’s investigation has not determined that any information actually was removed from its systems, and so far, Premera has stated it has no evidence that any accessed information has been used inappropriately. Premera has announced that it is offering two years free credit monitoring and identity theft protection services to anyone affected by this incident.
Current breach information from Premera is available at www.premeraupdate.com. Premera has indicated that it will notify affected individuals by mail. Organizations and plans that have had dealings with Premera may want to provide information about the breach and warn employees of phishing and other attacks that commonly occur after these types of announcements.
For self-insured group health plans that currently contract -- or at any time since 2002 has contracted -- with Premera as a third party administrator or TPA, there are a few steps that you may want to consider taking immediately:
- Determine whether you (the employer) have breach notification obligations under HIPAA and state law (such as the plan sponsor of a self-insured plan with Premera acting as the TPA). You may want to consult with an attorney who is experienced with HIPAA and breach notification issues.
- If you have breach notification obligations, then review whether the notification obligations have been contractually delegated to Premera, such as in the business associate agreement;
- If breach notification obligations have not already been contractually delegated to Premera, then consider whether to formally delegate those obligations to Premera now;
- Coordinate with your Premera representative over the coming days to address who will provide the necessary breach notifications and verify that the notification will be sufficient to meet your obligations under the law;
- Create an internal security incident report to demonstrate that you are aware that a security incident affecting the group health plan has occurred and document the actions that are being taken and the basis for any delay (e.g., that you are waiting on more information from Premera);
- Develop documentation related to the breach, and once any required breach notifications have been made, ensure that you have some evidence (such as information from Premera) demonstrating that the necessary breach notifications to affected individuals, the Department of Health and Human Services (“HHS”), the media, and potentially state regulators and consumer reporting agencies have been made; and
- Track appropriate information for accounting of disclosures.
Understanding Employer Obligations When Insurer or Third-Party Administrator is Victim of Data Breach
Employers whose group health plans contract with Premera need to understand what, if any, responsibilities fall on them as a result of this incident. Group health plans may be affected because Premera: (1) provides insured health benefits; (2) administers health benefits for a self-insured plan; or (3) administers out of area/network claims. Additionally, employers may have liability for any wellness programs that may have been provided by Premera. This advisory explains the HIPAA and state law consequences and provides practical guidance on what employers need to do to comply with their legal obligations.
Does HIPAA Apply?
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies if the compromised information is “protected health information” – a broad category of individually identifiable health information that includes demographic information. Premera’s investigation has determined that the attackers may have gained unauthorized access to members’ information, which could include members’ name, date of birth, Social Security number, mailing address, email address, telephone number, member identification number, bank account information, and claims information, including clinical information. All of this information may fall within the definition of “protected health information.”
What Does this Mean for Employers Under HIPAA?
If the breached data is protected health information, Premera will be required to provide breach notification under HIPAA. Notice obligations under HIPAA vary, depending on whether the compromised information relates to: (1) an individual policy; (2) a fully insured group health plan; or (3) a self-insured group health plan.
With respect to individual policies and fully insured group health plans, Premera may be the health insurance issuer and the employer does not appear to have breach notification obligations under HIPAA. In these cases, a breach of unsecured protected health information likely requires Premera to notify affected individuals, HHS, and the media.
For self-insured group health plans, where Premera is the TPA, the plan itself has the obligation under HIPAA to notify affected individuals, HHS, and potentially the media. This responsibility ultimately falls on the employer, as the plan sponsor. An employer may delegate its breach notification obligations to Premera, as its business associate.
Although Premera reportedly commenced notifying individuals of this breach, employers who sponsor a self-funded health plan and have contracted with Premera as a TPA should review whether their contracts delegate notification obligations to Premera. A self-insured group health plan’s business associate agreement with Premera may address delegation of breach notification responsibilities. If not, then formal documentation of any delegation may be required if the group health plan chooses to delegate breach notification to Premera. Once an employer delegates the breach notification obligations to Premera, it should obtain evidence on behalf of its self-insured health plan that Premera has provided the HIPAA-required notifications as documentation for the employer’s compliance records.
How Will State Law Apply?
State laws may present similar issues. For example, 47 state breach notification laws, plus the District of Columbia and two U.S. territories, require the non-owner of data to notify the owner of the data if there is a breach of certain information, including social security numbers. When Premera is acting as a TPA, it may be treated as the non-owner of the data and have an obligation to report to the owner of the information. Ultimately, under these state laws, the self-insured group health plan, as the owner of the data, may need to notify affected individuals and, possibly, regulators and consumer reporting agencies.
For any questions, feel free to contact Rebecca Williams, or the attorney with whom you normally work.