Data Security for Employer Health Plans in the Wake of Anthem and Premera – April 29, 2015
Husch Blackwell
Description
See https://www.anthemfacts.com/. Anthem’s website
states that Anthem discovered the cyber-attack on
January 29, 2015, and that Anthem believes the
intrusion “happened over the course of several weeks
beginning in early December 2014.” Id.
8
See http://premeraupdate.com/. The Premera Blue
Cross website indicates that Premera discovered its
cyber-attack on the same day as Anthem, January 29,
2015, and that “the initial attack occurred on May 5,
2014.” Id.
10
1
2
http://www.informationisbeautiful.net/visualizations/
worlds-biggest-data-breaches-hacks/.
3
See, e.g., Cal. Civ.
Code § 1798.82(a). 78 Fed. Reg. 5650-51.
See also http://www.hhs.gov/ ocr/privacy/hipaa/administrative/breachnotificationrule/ index.html. 9 For example, in July 2013 Anthem’s corporate predecessor Wellmark Inc. entered into a $1.7 million resolution agreement with OCR regarding a security compromise of the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information of approximately 612,000 individuals during 2009 and 2010. http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/examples/wellpoint-agreement.pdf. 4 https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. 11 45 CFR § 164.308(a)(1)(ii)(A). 5 45 C.F.R.
§§ 160.103 & 164.404–164.408. 12 45 CFR § 164.308(a)(8). 6 45 C.F.R. §§ 160.103 & 164.410. 13 45 CFR § 164.316(b)(2)(i). Forty-seven states, the District of Columbia, and three US territories have PII breach notification laws, with various definitions of what constitutes PII and a breach requiring notifications. Most such statutes contain exceptions from notification requirements for entities subject to, and which comply with, breach notification requirements under HIPAA or those of other functional regulators. 7 See http://www.npr.org/blogs/ alltechconsidered/2015/02/13/385901377/the-blackmarket-for-stolen-health-care-data. 14 See, e.g., http://krebsonsecurity.com/tag/faziomechanical-services/. 15 Contacts For Health Plan Data Security Peter Sloan Kansas City, MO peter.sloan@huschblackwell.com 816.983.8150 Pete Enko Kansas City, MO peter.enko@huschblackwell.com 816.983.8312 About Our Data Security Team Husch Blackwell’s Data Security Team helps clients with security compliance and risk management, data breach response, and risk mitigation, including security risk assessments and breach response readiness planning.
The team is part of the firm’s Information Governance Group, which provides interdisciplinary expertise in Privacy, Data Security, and Information Management to help clients satisfy information compliance requirements and manage risk while maximizing information value. About Our Firm Husch Blackwell is an industry-focused, full-service litigation and business law firm with offices in 15 U.S. cities and in London. We represent national and global leaders in major industries including energy and natural resources; financial services; food and agribusiness; healthcare, life sciences and education; real estate, development and construction; and technology, manufacturing and transportation. © Husch Blackwell LLP. Quotation with attribution is permitted.
This publication contains general information, not legal advice, and it reflects the authors’ views and not necessarily those of Husch Blackwell LLP. Specific legal advice should be sought in particular matters. Husch Blackwell LLP | Data Security for Employer Health Plans in the Wake of Anthem & Premera | April 25, 2015 4 .
Code § 1798.82(a). 78 Fed. Reg. 5650-51.
See also http://www.hhs.gov/ ocr/privacy/hipaa/administrative/breachnotificationrule/ index.html. 9 For example, in July 2013 Anthem’s corporate predecessor Wellmark Inc. entered into a $1.7 million resolution agreement with OCR regarding a security compromise of the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information of approximately 612,000 individuals during 2009 and 2010. http://www.hhs.gov/ocr/privacy/hipaa/ enforcement/examples/wellpoint-agreement.pdf. 4 https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. 11 45 CFR § 164.308(a)(1)(ii)(A). 5 45 C.F.R.
§§ 160.103 & 164.404–164.408. 12 45 CFR § 164.308(a)(8). 6 45 C.F.R. §§ 160.103 & 164.410. 13 45 CFR § 164.316(b)(2)(i). Forty-seven states, the District of Columbia, and three US territories have PII breach notification laws, with various definitions of what constitutes PII and a breach requiring notifications. Most such statutes contain exceptions from notification requirements for entities subject to, and which comply with, breach notification requirements under HIPAA or those of other functional regulators. 7 See http://www.npr.org/blogs/ alltechconsidered/2015/02/13/385901377/the-blackmarket-for-stolen-health-care-data. 14 See, e.g., http://krebsonsecurity.com/tag/faziomechanical-services/. 15 Contacts For Health Plan Data Security Peter Sloan Kansas City, MO peter.sloan@huschblackwell.com 816.983.8150 Pete Enko Kansas City, MO peter.enko@huschblackwell.com 816.983.8312 About Our Data Security Team Husch Blackwell’s Data Security Team helps clients with security compliance and risk management, data breach response, and risk mitigation, including security risk assessments and breach response readiness planning.
The team is part of the firm’s Information Governance Group, which provides interdisciplinary expertise in Privacy, Data Security, and Information Management to help clients satisfy information compliance requirements and manage risk while maximizing information value. About Our Firm Husch Blackwell is an industry-focused, full-service litigation and business law firm with offices in 15 U.S. cities and in London. We represent national and global leaders in major industries including energy and natural resources; financial services; food and agribusiness; healthcare, life sciences and education; real estate, development and construction; and technology, manufacturing and transportation. © Husch Blackwell LLP. Quotation with attribution is permitted.
This publication contains general information, not legal advice, and it reflects the authors’ views and not necessarily those of Husch Blackwell LLP. Specific legal advice should be sought in particular matters. Husch Blackwell LLP | Data Security for Employer Health Plans in the Wake of Anthem & Premera | April 25, 2015 4 .
