Cybersecurity Breach at Change Healthcare

While any commercial enterprises may be potential target for a cybercriminal, insurance carriers and other professional service providers operating in the employee benefits space may be particularly susceptible or otherwise vulnerable to cybercrime activities, respecting both the range of plan-level PHI they receive, maintain, and transmit, as well as the sheer volume of PHI-implicating transactions within which they engage on a daily basis.

Remember that the viewing and/or exfiltration (that is, the removal of unsecured HIPAA PHI to a location controlled by a cybercriminal, rather than by the covered entity or its agent) may give rise to a noticeable HIPAA breach event; thus, triggering various investigatory duties, harm mitigation responsibilities, breach notification obligations, and other interrelated defensive operations by the sponsoring employer. Employers are encouraged to routinely review and administer their administrative simplification responsibilities, as detailed under HIPAA. To that end, please see the following link for a summary checklist detailing many of the HIPAA administrative simplification requirements for HIPAA covered entities.

Employer Action Items

As a group health plan sponsor, an employer’s responsive obligations arising in the context of certain cybercrime events depends largely upon the underlying funding status of the employer’s core employee benefit plans (e.g., health, vision, and dental plans):

• For fully insured arrangements, the sponsoring employer will generally defer to the plan’s insurance issuers or its carriers for performance of any HIPAA mandated obligations, including any breach-related duties;
• Conversely, self-funded and level-funded plan sponsors are charged to assure their own satisfaction of HIPAA’s privacy and security requirements due to their status as individual plan sponsors of group health plans maintained pursuant to these funding methodologies (in this context, the core benefit plans sponsored by these employers are referred to a “HIPAA covered entities”.

Employer plan sponsors that are HIPAA covered entities may also need to comply with additional interrelated responsibilities arising outside the context of HIPAA (for example, certain obligations memorialized in the organization’s handbooks, its organizational policies and procedures, and its standard operating procedures). Additional privacy and security related obligations for the employer may be detailed in various state-level statutory mandates or even within certain international laws or other global-scope regulations. Finally, note that a diligent review of the employer’s administrative and vendor-related service agreements may give rise to additional employer responsibilities arising in this arena.

The HIPAA breach notification requirements must be individually evaluated and comprehensively performed by HIPAA covered entities, oftentimes with assistance from the employer’s contracted business associates to the extent there is a breach event resulting in the viewing and/or acquisition of unsecured protected health information (PHI). Thus, responsibility for issuing the required and appropriate classes of breach notification (including disclosures to affected individuals, the local news media, and to the Secretary of the US Health and Human Services Department (as applicable) will always consider and depend chiefly upon an analysis of the affected plan’s underlying funding methodology(ies).

Several notifications may be required as a consequence of a data breach. The particulars of notice performance, including the scope of the notice operation and respecting identification of specific parties entitled to such notification, will depend on the scope of the breach and several other factors. Following, please find summaries respecting three distinct types of notice operations:

1. Individual Notice. A notice of breach must be provided by the covered entity to any affected individuals. Generally, this notice will be in written form and must be delivered via first-class mail (or by email, if the affected individual has agreed to receive such notices electronically). Notification must take place without unreasonable delay and in no instance, later than 60 days from the date of discovery of the breach. A toll-free phone number must be provided for individuals to use to learn whether their information was involved in the breach. This number must be active for at least 90 days.

A notice may have to be placed on the covered entity’s website or a similar location if more than 10 individually affected persons cannot be reached due to the organization’s maintenance of insufficient or out-of-date contact information;

2. Media Notice. A covered entity that experiences a breach affecting more than 500 residents of a state or jurisdiction must notify prominent media outlets that serve that state or jurisdiction. Notification is generally made in the form of a press release to these media outlets, typically including the same information as that contained within the individual notice. The notice to the media must be provided without unreasonable delay, and in no instance later than 60 days after the breach is discovered; and,
3. Notice to the Secretary. All breaches of HIPAA protected health information must be reported to the Secretary of US Department of Health and Human Services (HHS) via the Department’s public website. Breaches affecting 500 or more individuals must be reported without delay, and in no instance later than 60 days after the breach discovery; whereas, breaches affecting fewer than 500 individuals must be reported in a summary annual filing that is submitted to the Department via a dedicated web portal, as maintained by HHS.

Summary

Compromised data may include private or personally identifiable information, such as names, addresses, phone numbers, email addresses, birthdates, Social Security numbers, medical records, health history, and bank account and credit card numbers.

When an insurance carrier suffers a data breach, many people are affected, and the stolen information may trigger various responsibilities under the Health Insurance Portability and Accountability Act (“HIPAA”). If a carrier or third-party administrator (TPA) that you work with is attacked by cybercriminals, you need to understand your responsibilities, including development of organizational best practices related to the communication of certain required information, as well as details explaining employer-provided tools and resources intended to mitigate any resulting harms associated with the breach event.

Be aware of specific state-level statutory requirements imposing additional notification requirements on the entities affected by a cyberattack or other breach. State laws may be preempted if they conflict with the federal requirements outlined above. Otherwise, employers or other entities may have to comply with both the state-level statutory requirements, as well as the very comprehensive federal requirements. This could mean that employers would have to meet more stringent requirements, as may be demanded at the state level.

Employee Communication

Communication with employees is important, especially when they may be anxious about a data breach that personally affects them. This is the case regardless of any legal requirements that may apply. Below are a few points to consider as you develop best practices for communication following a carrier data breach:

• Let employees know what’s going on. After a breach occurs, employees may hear about it on the news or from friends and family. Make sure you give them the facts and inform them of how it affects them as soon as you have information from your insurance carrier. Depending on your contracted relationship, you may be responsible for complying with federal or state notification rules, as discussed above.
• Reassure employees of your security measures. As their employer, you possess a lot of personally identifiable and financial information, so make sure they know that the information you store is properly secured.
• Warn employees about the potential for scams, especially ones that are already known. Following large data breaches, phishing scams and other criminal attempts at soliciting personal information proliferate quickly. Scammers will often pose as the affected company and contact individuals under the pretense of helping them to gain sensitive information.
• Take this opportunity to remind employees of the importance of protecting personal and company data. Reminders about passwords and other data security measures may be heeded more strongly following a breach of employees’ personal information.

Whether or not you are legally obligated to provide breach notifications to your employees, you still need to have a strategy in place to communicate with them because affected employees will have questions and concerns.

Contact The Baldwin Regulatory Compliance Collaborative for more information on responding to carrier data breaches.

More Information

Further details regarding notification requirements are available at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule.

For questions regarding this Legislative Update or any other related compliance issues, please contact your Burnham Benefits Consultant or Burnham Benefits at 949‐833‐2983 or inquiries@burnhambenefits.com.

This Legislative Update was prepared by the Baldwin Regulatory Compliance Collaborative (the “BRCC”), a partnership of compliance professionals offering client support and compliance solutions for the benefit of the Baldwin Risk Partners organization, which includes: Jason Sheffield, BRP National Director of Compliance; Richard Asensio, Burnham Benefits Insurance Services; Nicole L. Fender, the Capital Group; Bill Freeman, AHT Insurance; Stephanie Hall, RBA/TBA; Caitlin Hillenbrand, AHT Insurance; Paul Van Brunt, Baldwin Krystyn Sherman Partners (BKS); and Natashia Wright, Insgroup.

Burnham Benefits and the BRCC do not engage in the practice of law and this publication should not be construed as the providing of legal advice or a legal opinion of any kind. The consulting advice we provide is intended solely to assist in assessing its compliance with applicable federal and state law requirements, and is based on our interpretation of federal guidance in effect as of the date of this publication. To the best of our knowledge, the information provided herein, and assumptions relied on, are reasonable and accurate as of the date of this publication. Furthermore, to ensure compliance with IRS Circular 230, any tax advice contained in this publication is not intended to be used, and cannot be used, for purposes of (i) avoiding penalties imposed under the United States Internal Revenue Code or (ii) promoting, marketing or recommending to another person any tax-related matter.