The Anthem Breach – What Next?

February 12, 2015

Authored by: David Zetoony and Lisa Van Fleet

The facts surrounding the Anthem breach continue to evolve as does Anthem’s handling of the situation.

Based on the current status of the investigation, and Anthem’s current reactions to the incident, there are steps which group health plan sponsors should consider taking to fulfill their own HIPAA and fiduciary obligations with respect to group health plans affected by the Anthem breach. These steps include the following:

  • Have business associate agreements and other relevant documents reviewed to assess the plan sponsor’s rights and obligations with respect to the breach.
  • Request from Anthem:
    • additional information about the breach;
    • confirmation concerning the steps that will be taken to protect the plan sponsor’s employees and affected individuals;
    • more extensive victim protection, client indemnification, and paid notification than Anthem is currently proposing to offer; and
    • confirmation that any state notification requirements will be satisfied on behalf plans and plan sponsors.

In addition, plan sponsors should continue to monitor ongoing developments so they can modify their own response as appropriate to fulfill their obligations with respect to and protect plan participants.