Cyber Alert: Anthem Data Breach: Self-Insured Plans

Date: February 12, 2015

On February 4, Anthem, Inc., the second largest health insurer in the U.S., reported that hackers breached one of its IT systems and stole personal information relating to consumers and employees.  Described as “very sophisticated,” the attack involved the records of an estimated 80 million people.  While information accessed apparently did not involve medical information or credit card numbers, it did include such personally identifiable information as names, social security numbers, and income data.  The first class actions relating to the breach were filed against Anthem the next day.

If you have a self-insured employee benefit health plan, for which Anthem serves as the administrator, you may have an obligation under the federal HIPPA law or under state data breach notification laws to notify participants in the plan and others.  If you have such a plan, you should promptly consult with legal counsel familiar with these laws.

If you have a self-insured employee benefit health plan, you should carefully review your agreement with the plan administrator (whether or not it is Anthem) to assess whether the agreement sufficiently protects the plan in the event of a data breach by the administrator and to confirm that the administrator will be required to comply with applicable data breach notification laws.
Whiteford Taylor & Preston's Cyber Security, Data Management & Privacy lawyers are available to assist you.

For assistance, please contact:

Howard R. Feldman,, 410.347.8793
Rose M. Matricciani,, 410.347.9476
S. Keith Moulsdale,, 410.347.8721

This Alert has been prepared for news and general informational purposes in a summary manner only and is not intended as legal advice.  Readers are urged to consult their legal counsel concerning any particular situation and specific legal question.