Today’s report by Premera Blue Cross of a massive data breach affecting as many as 11 million customers’ personal health and financial information on the heels of the large-scale data breach announcement by fellow Blue Cross Association, Anthem, is another reminder that employers and other health plan sponsors, fiduciaries, insurers specifically, and U.S. businesses generally should immediately assess and tighten up their privacy, data security and data breach compliance and risk management to fulfill applicable legal mandates and to strengthen defenses against resulting liabilities and member backlash likely to arise from these or future breaches.
Notice of the Premera and Anthem breaches are likely to trigger obligations for health plans and their sponsoring employers or unions, administrators, insurers, and other vendors and service providers to take immediate steps to conduct documented investigations, take corrective action and provide breach notifications the Privacy, Security and Breach Notification rules of the Health Insurance Portability & Accountability Act require health plans and their business associates to provide in response to notice of a breach. Depending on the scope and nature of data affected and their involvement with the affected plans, employer or other plan sponsors, fiduciaries, administrators and service providers also may be subject additional responsibilities under applicable contracts and policies, the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code, and a host of other laws. Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security, or other federal or state laws. See, e.g., Restated HIPAA Regulations Require Health Plans To Tighten Privacy Policies And Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons For Health Plans, Providers and Business Associates.
The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The occurrence of these breaches arguably raises the questions about the adequacy of the safeguards, practices and policies of other health plans and insurers, their sponsors and fiduciaries, insurers, administrators and other vendors. places other health plans. Health plans, their sponsors, fiduciaries, administrators, insurers and other vendors generally will want to make prudent documented inquiries about the adequacy of their health plan’s data security and privacy safeguards in anticipation of potential future breaches, audits or other scrutiny.
Beyond the specific health plan related concerns, most businesses also will want to consider the adequacy and defensibility of the data collection, use, disclosure, security and other practices affecting sensitive data within or on behalf of their organization. The report of these and other health plan breaches, as well recent reports of identity theft and other fraud impacting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use, and protection of sensitive personal and other data.
Of course, as in the case of health plans, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities. These new technologies and practices are fueling a host of new mandates, opportunities and risks for virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.
With everyone from the Internal Revenue Service and other federal and state government agencies to private business partners pushing to leverage the efficiencies and other opportunity of electronic transactions and data, businesses in the US and around the world increasing are encouraged if not required to conduct more and more transactions containing sensitive business and individual tax information, personal financial information, personal health information, trade secrets and other confidential business and personal information electronically. Meanwhile big data and other business and marketing gurus also encourage business to leverage their own opportunities to use data collected for these business mandates and expanding technology also to collect, use and repurpose customer, prospect or other business information collected in the course of business to benefit their business’ marketing, transactional and other opportunities.
As these practices take hold and expand, data breaches and other cyber crime events, the legal requirements and risks of collection and use of data also are growing. Privacy, identity theft and other cyber crime and other concerns have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations including but not limited to the Fair & Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the HIPAA Privacy & Security Rules, state identity theft, data security and data breach and other electronic privacy and security laws and an ever-growing plethora of others.
As the cyber crime epidemic continues to grow and notorious breeches and schemes involving the Internal Revenue Service, Veterans Administration, retail giants like Target, Home Depot, and others, insurance giants like Anthem and Premera and others, government and private enforcement is rising and the judgments, penalties and other costs soaring even as federal and state regulators are looking at the need for expanded rules and penalties. See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities & Statistics. In addition, widening data privacy and security concerns from these massive data breach reports also are prompting Congress and State regulatorsto consider the need for added reforms, see, McCaul to Hold Hearing on President’s Cybersecurity. In deed, even before news of the Premera breach broke, he Federal Trade Commission today announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.
While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses already affected illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.
The now notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between November 27 and December 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before despite having announced plans to invest $100 million upgrading their payment terminals to support Chip-and-PIN enabled cards and millions of dollars more in rectification efforts. See The Target Breach, By the Numbers. Subsequently, Target’s losses have continued to mount even as it now faces lawsuits and other enforcement actions as a result of the breach. See Banks’ Lawsuits Against Target for Losses Related to Hacking Can Continue. Meanwhile, the enforcement and other fallout continues to evolve.
While businesses generally need to tighten their defenses and compliance, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens. The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards to prevent and respond to breaches of protected health information. In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible and usually no later than 30 days after the health plan knows or has reason to know of the breach. Significant civil and even criminal penalties can apply if a health plan, health insurer or its business associate fails to fulfill these obligations.
Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have other less-realized responsibilities. As health plan data often includes payroll and other tax data, employers, the health plans and other parties involved also may have specific responsibilities under the Internal Revenue Code or other laws. To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises discretion and control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action to meet fiduciary obligations of ERISA. Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws. Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, health care providers and others involved with the health plan.
In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to the breaches reported. Along with these specific health plan related responses, businesses also should the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever vigilant for new requirements, as well as weaknesses in their own practices. Health plans specifically and businesses generally need to build their defenses in anticipation of these events both to withstand government and private litigation and enforcement, and to survive the harsh judgment of public opinion.
For Help With Risk Management, Compliance & Other Management Concerns
If you need assistance in responding to a health plan breach concern or with auditing or assessing, updating or defending your organization’s compliance, risk management or other internal controls practices or actions, please contact the author of this update, attorney Cynthia Marcotte Stamer here or at (469) 767-8872.
Scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights, a faculty and steering committee for the Southern California ISSA-HIMSS Health Care Privacy Program, Board Certified in Labor & Employment Law, a Fellow in the American College of Employee Benefits Counsel recognized as a “Top 100” lawyer in labor and employment, employee benefits and health care law, Ms. Stamer is nationally recognized for her work, publications, public speaking and education and other leadership on privacy and data security and other risk management and compliance.
A management attorney who works with businesses and government to manage and redress people, process and risk, Ms. Stamer has worked extensively on data and other privacy risk management and compliance, Throughout her career, she has conducted investigations and advised, and assisted health care, insurance, retail and a broad range of other public and private organizations with privacy and data security audit and risk management, contracting, investigation, defense and remediation throughout her more than 25 year career.
Past Chair and of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Committee, a Council Representative on the ABA Joint Committee on Employee Benefits, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, current Co-Chair of the RPTE Welfare Benefit Committee and Vice Chair of the ABA TIPS Employee Benefits Committee, Ms. Stamer works, publishes and speaks extensively on cyber crime and other privacy, management, reengineering, investigations, human resources and workforce, employee benefits, compensation, internal controls and risk management, federal sentencing guideline and other enforcement resolution actions, and related matters. She also is recognized for her publications, industry leadership, workshops and presentations on these and other concerns and regularly speaks and conducts training on these matters.Her insights on these and other matters appear in the Bureau of National Affairs, Spencer Publications, the ABA, Insurance Thought Leadership, the Wall Street Journal, the Dallas Business Journal, the Houston Business Journal, and many other national and local publications.
As part of her extensive involvements in privacy and data security concerns, Ms. Stamer will be among the panelists discussing “Fiduciary Obligations In the Context of a Data Breach” conference call to be hosted on April 2, 2015 by Fiduciary Responsibility Committee of the American Bar Association (ABA) Real Property Probate and Estate Section Employee Benefits & Other Compensation Group. During the program, Ms. Stamer and other panelists will discuss the quagmire of fiduciary legal and operational challenges that data breach announcements by health plan vendors and insurers present for employer and union-sponsored health plan fiduciaries and health plans. She also will serves as the scribe for the upcoming ABA Joint Committee On Employee Benefits Annual Agency Meeting with the Federal agency that enforces HIPAA, the Office of Civil Rights, and 2014 Conference Chair and steering committee and faculty member of the Southern California ISSA/HIMSS Healthcare Privacy & Security Summit scheduled for June 4, 2015 in Los Angeles.
For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly. For information about participation in the April 2 Conference Call or joining the Committee, see here.
About Solutions Law Press
Solutions Law Press™ provides business risk management, legal compliance, management effectiveness and other resources, training and education on human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press resources at www.solutionslawpress.com.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here.
©2015 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. All other rights reserved.