Putney, Twombly, Hall & Hirson LLP
521 Fifth Avenue
New York, NY 10175
Tel: (212) 682-0020


February 9, 2015



In what has been reported as potentially the largest data breach of a healthcare company, Anthem, Inc. recently reported that its databases suffered a significant cyberattack exposing personal information of approximately 80 million individuals, including those insured by related Anthem entities.  Anthem has 37 million members in 14 states, but warned that information in the infiltrated database included Blue Cross Blue Shield patients from all 50 states who had sought care in Anthem’s coverage area.  The exposed information includes member names, member health ID and Social Security Numbers, dates of birth, addresses, telephone numbers, email addresses and employment information.

Anthem has acknowledged that the data accessed by hackers was stored on servers in its corporate warehouses and that the data had not been encrypted while stored.  When the data was disseminated in and out of the warehouse, it was encrypted during transmittal, however, when it was utilized and stored in-house, the information remained unencrypted.

Take Away for Employers

The Anthem cyberattack serves as an important reminder of the need to implement appropriate physical, technical and administrative safeguards to secure protected health information (PHI) and electronic PHI in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  HIPAA creates a framework for health plans, health care providers, business associates and others to establish, implement and periodically review security protections for PHI.  HIPAA also sets forth requirements for protecting privacy of individuals’ PHI and notifying individuals when a breach of unsecured PHI occurs. 

If Anthem provides your employees with health insurance or acts as the third party administrator of your self-insured group health plan, we recommend that you work with counsel to determine from Anthem what information relevant to your employees or patients/customers may have been accessed and to clarify the extent that Anthem will be addressing notification of the breach.  In addition, it is imperative to determine what responsibilities, if any, might be necessary to respond to the security breach, including a review of contracts with Anthem to assess how data breaches are addressed, whether data ownership has been addressed by the contract and whether indemnification provisions may apply.

If you are not directly affected by the Anthem cyberattack, this may be a good time to review your HIPAA policies and procedures, business associate agreements, insurance coverage (including cyberattack specific policies) and third party administrator agreements to ensure that security policies and procedures are updated and that your company is properly protected from similar information breaches.       It is also a good time to review the storage and handling of PHI at your institution. 

As always, we are available to assist you with regarding these issues.