If you currently do, or previously did, business with Anthem, you face tangible risk as a result of the recently disclosed breach even though it is believed only Anthem’s system was compromised. Consider the following…

[box type=”info”]This article, originally published on Netdiligence.com is part of our Industry News Highlights series, making sure our readers see the most popular Privacy, Security, Compliance and Information Risk Management news each week.[/box]

The factual nature of your relationship with Anthem will determine your legal duties. Depending upon what information you or your employees/members/customers provided to Anthem, the manner in which such information was shared with Anthem, and what functions or services Anthem performed on their behalf, you may have duties to notify (and/or otherwise service) individuals, regulators, consumer reporting agencies and other governmental agencies.

Even if Anthem has not serviced your business or your employees/members/customers recently, you may still be affected.

The age of the data subject to unauthorized access is currently unknown. Older data exchanged as part of a past relationship with Anthem may be involved.

The relationship you have with your current or former employees/members/customers may impose additional obligations. Only you know what assurances you made to your employees/members/customers (in contracts or otherwise).

You cannot rely upon Anthem to identify and satisfy all of your legal duties (whether statutory or contractual) without supervision. Only you can proactively ensure that the best interests of your business are protected, and that your statutory and contractual obligations to others are satisfied. Anthem has its own interests to protect.

Your contract with Anthem may or may not require Anthem to satisfy your duties.

Either way, it is crucial that you manage Anthem’s response and be involved in developing the notice content, identifying the recipients of the notice, and confirming notice timing. You need to manage Anthem’s response to ensure it is compliant with laws/requirements applying to you.

You are not immune to regulator scrutiny. This incident has already attracted the attention of both state and federal regulators, including the U.S. Department of Health and Human Services and the California Insurance Commissioner. Even if Anthem satisfies your legal obligations, regulators can – and will – investigate whomever they want if believed to be involved in the incident.

You are not immune to lawsuits.

Within hours of Anthem’s public disclosure, Anthem and at least one Anthem affiliated plan were named as defendants in class action lawsuits even though there is no fraud reported…yet. The plaintiffs’ bar is not bashful about maximizing the number of defendants regardless of culpability.

You must talk to your customers/members/employees about this incident. They entrusted their personal information to you, or shared it with Anthem at your direction. If you do not take their concerns seriously and fail to adequately communicate with them about what happened, what Anthem is doing about it, and what you are doing about it, your business and reputation may suffer.

If you remember one point, let it be this: this incident creates real risk for you and requires factual clarity and legal analysis in order to identify your duties and prepare for possible regulatory and litigation exposure…regardless of fault.

[box type=”info”]This article, originally published on Netdiligence.com is part of our Industry News Highlights series, making sure our readers see the most popular Privacy, Security, Compliance and Information Risk Management news each week.[/box]

Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.