Health Plans, Sponsoring Employers & Others Urged To Act Immediately In Response To Premera, Anthem Blue Cross Breaches

March 17, 2015

Today’s report by Premera Blue Cross of a massive data breach affecting as many as 11 million customers’ personal health and financial information on the heels of the large-scale data breach announcement by fellow Blue Cross Association, Anthem, is another reminder that employers and other health plan sponsors, fiduciaries, insurers specifically, and U.S. businesses generally should immediately assess and tighten up their privacy, data security and data breach compliance and risk management to fulfill applicable legal mandates and to strengthen defenses against resulting liabilities and member backlash likely to arise from these or future breaches.

Notice of the Premera and Anthem breaches are likely to trigger obligations for health plans and their sponsoring employers or unions, administrators, insurers, and other vendors and service providers to take immediate steps to conduct documented investigations, take corrective action and provide breach notifications the  Privacy, Security and Breach Notification rules of the Health Insurance Portability & Accountability Act require health plans and their business associates to provide in response to notice of a breach. Depending on the scope and nature of data affected and their involvement with the affected plans, employer or other plan sponsors, fiduciaries, administrators and service providers also may be subject additional responsibilities under applicable contracts and policies, the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code, and a host of other laws.  Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security, or other federal or state laws.  See, e.g., Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates.

The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches.  The occurrence of these breaches arguably raises the questions about the adequacy of the safeguards, practices and policies of other health plans and insurers, their sponsors and fiduciaries, insurers, administrators and other vendors.  places other health plans.  Health plans, their sponsors, fiduciaries, administrators, insurers and other vendors generally will want to make prudent documented inquiries about the adequacy of their health plan’s data security and privacy safeguards in anticipation of potential future breaches, audits or other scrutiny.

Beyond the specific health plan related concerns, most businesses also will want to consider the adequacy and defensibility of the data collection, use, disclosure, security and other practices affecting sensitive data within or on behalf of their organization.  The report of these and other health plan breaches, as well recent reports of identity theft and other fraud impacting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use, and protection of sensitive personal and other data.

Of course, as in the case of health plans, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities.  These new technologies and practices are fueling a host of new mandates, opportunities and risks for virtually every U.S. business.  Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.

With everyone from the Internal Revenue Service and other federal and state government agencies to private business partners pushing to leverage the efficiencies and other opportunity of electronic transactions and data, businesses in the US and around the world increasing are encouraged if not required to conduct more and more transactions containing sensitive business and individual tax information, personal financial information, personal health information, trade secrets and other confidential business and personal information electronically.  Meanwhile big data and other business and marketing gurus also encourage business to leverage their own opportunities to use data collected for these business mandates and expanding technology also to collect, use and repurpose customer,  prospect or other business information collected in the course of business to benefit their business’ marketing, transactional and other opportunities.

As these practices take hold and expand, data breaches and other cyber crime events, the legal requirements and risks of collection and use of data also are growing.  Privacy, identity theft and other cyber crime and other concerns have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations including but not limited to the Fair & Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the HIPAA Privacy & Security Rules, state identity theft, data security and data breach and other electronic privacy and security laws and an ever-growing plethora of others.

As the cyber crime epidemic continues to grow and notorious breeches and schemes involving the Internal Revenue Service, Veterans Administration, retail giants like Target, Home Depot, and others, insurance giants like Anthem and Premera and others, government and private enforcement is rising and the judgments, penalties and other costs soaring even as federal and state regulators are looking at the need for expanded rules and penalties.   See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities & Statistics. In addition, widening data privacy and security concerns from these massive data breach reports also are prompting  Congress and State regulatorsto consider the need for added reforms, see, McCaul to Hold Hearing on President’s Cybersecurity.  In deed, even before news of the Premera breach broke, he Federal Trade Commission today announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.

While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses already affected illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.

The now notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between November 27 and December 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before despite having announced plans to invest $100 million upgrading their payment terminals to support Chip-and-PIN enabled cards and millions of dollars more in rectification efforts. See The Target Breach, By the Numbers. Subsequently, Target’s losses have continued to mount even as it now faces lawsuits and other enforcement actions as a result of the breach. See Banks’ Lawsuits Against Target for Losses Related to Hacking Can ContinueMeanwhile, the enforcement and other fallout continues to evolve.

While businesses generally need to tighten their defenses and compliance, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens.  The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards to prevent and respond to breaches of protected health information.  In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible and usually no later than 30 days after the health plan knows or has reason to know of the breach.  Significant civil and even criminal penalties can apply if a health plan, health insurer or its business associate fails to fulfill these obligations.

Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have other less-realized responsibilities.  As health plan data often includes payroll and other tax data, employers, the health plans and other parties involved also may have specific responsibilities under the Internal Revenue Code or other laws.   To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises discretion and control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action to meet fiduciary obligations of ERISA.  Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws.  Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, health care providers and others involved with the health plan.

In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to the breaches reported.  Along with these specific health plan related responses,  businesses also should the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever vigilant for new requirements, as well as weaknesses in their own practices.  Health plans specifically and businesses generally need to build their defenses in anticipation of these events both to withstand government and private litigation and enforcement, and to survive the harsh judgment of public opinion.

 For Help With Risk Management, Compliance & Other Management Concerns

If you need assistance in responding to a health plan breach concern or with auditing or assessing, updating or defending your organization’s compliance, risk management or other  internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469) 767-8872.

Scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights, a faculty and steering committee for the Southern California ISSA-HIMSS Health Care Privacy Program, Board Certified in Labor & Employment Law, a Fellow in the American College of Employee Benefits Counsel  recognized as a “Top 100″ lawyer in labor and employment, employee benefits and health care law, Ms. Stamer is nationally recognized for her work, publications, public speaking and education and other leadership on privacy and data security and other risk management and compliance.

A management attorney who works with businesses and government to manage and redress people, process and risk, Ms. Stamer has worked extensively on data and other privacy risk management and compliance,  Throughout her career, she has conducted investigations and advised, and assisted health care, insurance, retail and a broad range of other public and private organizations with privacy and data security audit and risk management, contracting, investigation, defense and remediation throughout her more than 25 year career.

Past Chair and of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits,  past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, current Co-Chair of the RPTE Welfare Benefit Committee and Vice Chair of the ABA TIPS Employee Benefits Committee, Ms. Stamer works, publishes and speaks extensively on cyber crime and other privacy, management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters.  She also is recognized for her publications, industry leadership, workshops and presentations on these and other  concerns and regularly speaks and conducts training on these matters.Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the ABA, Insurance Thought Leadership, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications.

As part of her extensive involvements in privacy and data security concerns, Ms. Stamer will be among the panelists discussing “Fiduciary Obligations In the Context of a Data Breach” conference call to be hosted on April 2, 2015 by Fiduciary Responsibility Committee of the American Bar Association (ABA) Real Property Probate and Estate Section Employee Benefits & Other Compensation Group.  During the program, Ms. Stamer and other panelists will discuss the quagmire of fiduciary legal and operational challenges that data breach announcements by health plan vendors and insurers present for employer and union-sponsored health plan fiduciaries and health plans.  She also will serves as the scribe for the upcoming ABA Joint Committee On Employee Benefits Annual Agency Meeting with the Federal agency that enforces HIPAA, the Office of Civil Rights, and 2014 Conference Chair and  steering committee and faculty member of the Southern California ISSA/HIMSS Healthcare Privacy & Security Summit scheduled for June 4, 2015 in Los Angeles.

For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.  For information about participation in the April 2 Conference Call or joining the Committee, see here.

About Solutions Law Press

Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.

©2015 Cynthia Marcotte Stamer.  Non-exclusive right to republish granted to Solutions Law Press.  All other rights reserved.

Tell Congress to protect wellness programs against EEOC attacks

January 28, 2015

The EEOC has declared war on many employer sponsored wellness programs. The Senate Health, Education, Labor, and Pensions Committee will hold a hearing about how to improve employer wellness programs on Thursday, January 29. Employers and others should urge the Committee and other Congressional leaders to overrule the EEOC’s attacks on wellness programs as illegal disability discrimination under the Americans with Disabilities Act.

Stamer Recognized As A “Top” Labor & Employment Lawyer

January 7, 2015

Cynthia Marcotte Stamer is recognized among the “Top Rated” Labor & Employment Lawyers in Texas in the 2014 LexisNexis® Martindale-Hubbell® list of Top Rated Lawyers.  An AV® Preeminent™ (the highest Peer Review Rating available) rated lawyer, Ms. Stamer earned the “Top Rated” Distinction based on confidential Martindale-Hubbell Peer Review Ratings opinions about her skills and experience submitted by other AV® Preeminent™ lawyers and members with professional knowledge of her work.

A noted Texas-based management lawyer and consultant, author, lecturer and policy advocate, Ms. Stamer is nationally and internationally known for her innovative leadership and work helping businesses, governments, and communities manage workforce and other performance and other labor and employment, employee benefits and workforce related representations.

Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization,  and a Fellow in the American Bar Association, Texas Bar Association, and the American College of Employee Benefit Counsel,  Ms. Stamer’s legal and management consulting work focuses on helping employers, insurers, employee benefit plans and their administrators, fiduciaries and advisors, community leaders and governments manage people, process and risk.   Throughout her more than 25 year career, Ms. Stamer has helped management deal with all aspects of human resources and workforce management, including employment and outsourcing contracting and performance management, reengineering and other change management, internal controls, compliance and risk management, compensation and employee benefits, communications, worker classification, tax, government relations, enforcement and litigation defense, and other related matters.  Drawing upon her extensive knowledge base of knowledge and wealth of practical skills, Ms. Stamer helps businesses and their leaders manage their employees and other workers and service providers, their performance, compliance, compensation, benefits, risks and liabilities, as well as to prevent, stabilize and cleanup workforce and operations crises large and small that arise in the course of operations.

In addition to her more traditional legal, internal controls and other management consulting work, Ms. Stamer also extensively works with a broad range of business and government clients on health care, pension, social security, workforce, insurance and many other related policy matters critical to their business success and liability management. She both only helps her clients anticipate, monitor and cope with emerging laws, regulations and enforcement and respond to and resolve government investigations and enforcement actions, she also helps them shape the rules through dealings with Congress and other legislatures, regulators and government officials domestically and internationally.  A former lead consultant to the Government of Bolivia on its Social Security reform law and most recognized for her leadership on U.S. health and pension, wage and hour, tax, education and immigration policy reform, Ms. Stamer works with U.S. and foreign businesses, governments, trade associations, and others on workforce, social security and severance, health care, immigration, privacy and data security, tax, ethics and other laws and regulations. Founder and Executive Director of the Coalition for Responsible Healthcare Policy and its PROJECT COPE: the Coalition on Patient Empowerment and a Fellow in the American College of Employee Benefit Counsel, the American Bar Association (ABA) and the State Bar of Texas, Ms. Stamer annually leads the Joint Committee on Employee Benefits (JCEB) HHS Office of Civil Rights agency meeting.  She also works as a policy advisor and advocate to many business, professional and civic organizations.

Author of the thousands of publications and workshops these and other employment, employee benefits, health care, insurance, workforce and other management matters, Ms. Stamer’s insights on employee benefits, insurance, health care and workforce matters in Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders, Employee Benefit News, Texas CEO Magazine, HealthLeaders, Modern Healthcare, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA,, Employee Benefit News, and many other prominent publications. She also regularly serves on the faculty and planning committees for symposia of LexisNexis, the American Bar Association, the Society of Employee Benefits Administrators, the American Law Institute, ISSA, HIMMs, and many other prominent educational and training organizations and conducts training and speaks on these and other management, compliance and public policy concerns.

Beyond these involvements, Ms. Stamer also is active in the leadership of a broad range of other professional and civic organizations. For instance, Ms. Stamer presently serves as Vice President of the North Texas Healthcare Compliance Professionals Association; Immediate Past Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Committee and its current Welfare Benefit Plans Committee Co-Chair, on its Substantive Groups & Committee and its representative to the ABA Joint Committee on Employee Benefits; Past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and a current member of its Healthcare Coordinating Council; current Vice Chair of the ABA TIPS Employee Benefit Committee; the former Coordinator and a Vice-Chair of the Gulf Coast TEGE Council TE Division and as a faculty member, editorial advisory board member, speaker and author for numerous human resources, employee benefits, insurance, technology and data security and other professional associations, programs, and publications.  She previously served as a founding Board Member and President of the Alliance for Healthcare Excellence, as a Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; the Board President of the early retirement intervention agency, The Richardson Development Center for Children; Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a member of the Board of Directors of the Southwest Benefits Association.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here.

©2015 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.

IRS Gives Guidance On When Defined Benefit Funding Method Changes Due Actuary Change Automatically Approved

January 6, 2015

The Internal Revenue Service (IRS) today (January 6, 2015) published guidance on when a change in a single-employer defined benefit plan’s funding method due to a change in the plan’s enrolled actuary will qualify for automatic approval.  For additional details, see Announcement 2015-03, which is scheduled for official publication in Internal Revenue Bulletin 2015-3 on January 20, 2015.

For Advice, Training & Other Resources

If you need assistance resolving past Form 5500 or other filing exposures, or monitoring and responding to these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, an ABA Joint Committee On Employee Benefits Council representative, Past Chair of the ABA Health Law Section Managed Care & Insurance Section, a Fellow in the American College of Employee Benefit Counsel, ABA, and State Bar of Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health plans and insurers about ACA, and a wide range of other plan design, administration, data security and privacy and other compliance risk management policies.  Ms. Stamer also regularly represents clients and works with Congress and state legislatures, EBSA, IRS, EEOC, OCR and other HHS agencies, state insurance and other regulators, and others.   She also publishes and speaks extensively on health and other employee benefit plan and insurance, staffing and human resources, compensation and benefits, technology, public policy, privacy, regulatory and public policy and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information about this communication click here

NOTE:  This article is provided for educational purposes.  It is does not establish any attorney-client relationship nor provide or serve as a substitute for legal advice to any individual or organization.  Readers must engage properly qualified legal counsel to secure legal advice about the rules discussed in light of specific circumstances.

The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations.  The Regulations now require that either we (1) include the following disclaimer in most written Federal tax correspondence or (2) undertake significant due diligence that we have not performed (but can perform on request).


©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Get every new post delivered to your Inbox.

Join 600 other followers