My colleagues Kristen Mathews, Roger Cohen and Ellen Moskowitz, all part of our Privacy and Data Security Practice Group, recently blogged about the Anthem Cyber Attack.
Importantly for our readers, the blog discusses the obligations of employers, multiemployer health plans, and others responsible for employee health benefit programs to notify employees and health plan participants that their personal information may have been compromised. Obligations can arise under the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws may hold them responsible for ensuring that certain notifications are made related to the incident. The nature of these obligations will depend on whether the benefits offered through Anthem are provided under an insurance policy, and so are considered to be “fully insured,” or whether the Anthem benefits are provided under a “self-insured” arrangement, where Anthem does not insure the benefits, but instead administers the benefits. The most significant legal obligations on the part of employers, multiemployer health plans, and others responsible for employee health benefit programs will apply to Anthem benefits that are self-insured.
To read more about this, I attach a link to the full blog.