Feelin’ Blue: A Rough Month for Anthem and the Blues

Chris Allesee

Sometimes, a little perspective goes a long way. In the last month, I’ve dealt with kids running a constant cycle of colds and stomach bugs, weather-induced cabin fever, tax season, and a broken washing machine. To top it off, judging by the estimate I received, it appears I will be indirectly financing a new wing of our car mechanic’s shop. However, when put in perspective, my blues are pretty insignificant compared to the last month for Anthem and the Blue Cross and Blue Shield brands.

By now I am sure you have heard about the mega Anthem security breach, but if not check out our prior blog post. A rough month became even worse when its affiliate Premera Blue Cross, which operates in Washington and Alaska, and Blue Cross Blue Shield of Michigan both disclosed new HIPAA breaches. Premera reported this week that it was also targeted by hackers, who may have had access to protected health information for as many as 11 million members dating back to 2002, including names, addresses, birth dates, social security numbers, bank accounts, and claims information. The cyberattack was discovered on January 29, 2015 (likely while Anthem was investigating its larger breach), but the hack actually occurred almost a year ago on May 5, 2014.

Another cyberattack disclosure is bad enough, but the breach reported by BCBSM last week was based on a BCBSM employee’s theft of members’ information to sell to co-conspirators in an ID theft ring. Fortunately, the breach was much smaller, affecting only 5,514 members, and BCBSM helped law enforcement investigate, indict, and arrest the perpetrators. But given the timing, having to report an insider job doesn’t look good.

As the Blues continue to sort it out and hope for more public-relations success in April, self-insured plans operating in the Pacific Northwest and Michigan may want to reach out to their brokers or representatives to find out if their participants were affected. If your self-insured plan was affected, you will need to comply with the HIPAA breach notification obligations individually for each breach. Just like the Anthem breach, you should monitor the response by Premera and BCBSM closely if they have agreed to handle these notices on your behalf so that you don’t end up singing the blues with the Blues. We have assisted many clients in wading through these obligations already, so please let us know if you would like our assistance as well.