Anthem, Inc., the country’s second biggest health insurer, announced on Wednesday, February 4, 2015, that it suffered a data breach containing the personal information for about 80 million customers and employees due to an external cyber-attack.  Anthem is working with the FBI and forensic experts to determine the extent and source of the data breach.

In a statement posted at www.anthemfacts.com, Anthem President and CEO Joseph R. Swedish stated that attackers gained unauthorized access to an IT system and obtained personal information such as name, birthday, medical ID/social security number, street address, email address, and employment information, including income.  “Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised,” Swedish stated.  Further information and notifications will be forthcoming from Anthem in the following days and weeks.  A Frequently Asked Questions has been posted on the website as well.

Employers who provide employee health insurance through Anthem or maintain a self-insured health plan administered through Anthem must carefully monitor Anthem’s developments and disclosures.  While no laboratory or clinical information is believed to have been compromised, employers should not interpret this to mean that no “protected health information” has been compromised.  If protected health information was compromised, employers may have reporting notification requirements, and face other issues, under the Health Insurance Portability and Accountability Act (HIPAA).  It may be the case that some of the information which Anthem has indicated was breached constitutes protected health information under HIPAA since some of this information seems to pertain to payment for health care.

Further, individuals who are currently or were previously covered by an Anthem health plan should continue to monitor these developments, and take practical actions to protect their personal information and prevent identity theft. Seeking the advice of qualified privacy and data security professionals is definitely encouraged.

“In 2015 we continue to see major corporations suffer sophisticated and targeted attacks on their information systems,” said Michael D. Stovsky, Chair of Benesch’s Innovation, Information Technology, and Intellectual Property Group.  “While we continue to see companies suffer consumer data loss, the vast majority of data breaches involve companies that are not in the consumer space.  Similar to Sony’s data breach late last year, data breaches involving employee data due to targeted attacks are on the rise.  Companies and their boards must be proactive and diligent in protecting personal information that they maintain, provide to third parties, transmit, or store in the cloud, whether it’s about consumers or employees.”