Anthem Data Breach Focuses Attention on Role Benefit Plan Fiduciaries Play in Managing and Controlling Plan Records

Introduction

The recently announced cyber-attack on Anthem’s massive data base, which reportedly resulted in the theft of highly sensitive medical and financial information pertaining to as many as 80 million Americans, shines a bright light on an apparent weak link in the nation’s health-care system. Reports that the hackers, possibly from China, gained access to everything from names and physical addresses to Social Security numbers, e-mail accounts and income figures of many of the users whose records are being maintained by Anthem (some, reportedly 10 years old) merely points up how much information is being collected by health insurers and held in huge data bases in connection with the processing and payment of health care and related goods and services to every American citizen.

One can reasonably assume, given Anthem’s massive financial resources, that its database and its systems were competently designed, organized and maintained. So what are the realities here, based on what already is known? First, that there are sophisticated actors who are both willing and able to infiltrate some of the country’s largest private-sector data bases, containing some of the most sensitive medical and financial information being held regarding tens of millions of Americans. Second, that the only reason the cyber-attack on Anthem has led to the current uproar is because — for reasons not yet explained (but reasons that doubtlessly made sense to Anthem) — a large amount of the sensitive financial and personal data being held as part of Anthem’s data base was not being held in encrypted form. And third, that in light of the apparent success of those who were able to infiltrate the Anthem system, other cyber-attacks will be mounted in the future, either against Anthem’s data base or against similar data bases being maintained by other large health insurers.

Given these realities, what should Anthem’s stakeholders do now, and (just as important) what should all stakeholders do, now that it seems likely that such a cyber-attack can and will happen again? This article explores these questions from the perspective of the millions of sponsors and fiduciaries of private-sector group health plans subject to the fiduciary and other provisions of the Employee Retirement Income Security Act (“ERISA”) who currently rely a health insurer either to insure those being covered by their group health plan or to administer the plan and provide it with network access.

Anthem An Outlier? Not Likely

As noted above, it is fair to presume that there will be further cyber-attacks of the type and scope successfully mounted against Anthem and its health care/network data base. But is it also fair to presume that other health insurers’ data bases contain substantial amounts of personal data being held in unencrypted form? After all, that was how the true damage was done. A review of the regulatory and financial environment within which Anthem’s data base had been constructed and was operating at the time the cyber-attack occurred reasonably suggests that Anthem is not simply an outlier or an isolated case, and that others may well be doing the same thing either in the name of efficiency or in the name of cost containment.

HIPAA and the ACA

Those familiar with both the Patient Protection and Affordable Care Act of 2010 (“ACA”) and its Clinton-era forbearer, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), understand they are intertwined. HIPAA in many ways laid the groundwork for many of the market reforms people now associate with the ACA. HIPAA championed portability in employer-provided benefits, for example, by amending ERISA (and related statutes) to eliminate the pre-existing condition exclusion for those who remain continuously covered; for its part, ACA removed the continuous-coverage safeguard and extended it to the masses. Similarly, HIPAA amended ERISA to prohibit employers, and health insurers issuing group policies, from discriminating against employees based on their health status or their claims history, and first sanctioned the use of financial incentives in wellness programs; ACA has now expanded and made those concepts universal.

Records Privacy and Security

But the ACA did not build upon and enhance every reform and improvement that HIPAA introduced. Data privacy and security is a prominent example – one now made more prominent by this month’s events. Why? Because the privacy and security protections put in place by HIPAA (and by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) just before the ACA was enacted) were focused on the sensitive medical records and other “individually identifiable health information” being collected, collated and maintained at the time by and for employers and their group health plans.

Fourteen years later, the more systemic reforms put in place by the ACA have caused there to be a quantum leap in the volume of highly sensitive personal medical information that is being collected, generated, transmitted, analyzed, handled and stored. More important, though, the ACA reforms also have caused there to be an explosion in the financial and other personal information that is being collected, generated, transmitted, analyzed, handled and stored, because health insurers and others now have to share information and otherwise coordinate their billing, collection, qualification and payment activities with the United States Treasury, the Centers for Medicare & Medicaid Services (“CMS”) and a host of other federal and state agencies — and with the 50+ health insurance exchanges — in order to match up covered individuals with the many governmental subsidies and penalties the ACA put in place. Steps may not yet have been taken to extend the HIPAA and HITECH policies and programs, designed to safeguard health information, to the financial and other similar information that the health insurers have been obligated to collect and handle.

Another development which makes it more likely that the Anthem incident is not an isolated one has to do with the rapid and relentless consolidation among health insurers (and markets) which has occurred since the ACA was enacted – consolidation that has led to the creation of a comparatively small number of huge, multistate and national health insurer data bases. The ACA actively promoted this consolidation, in the name of cost containment, by introducing the “medical loss ratio” (“MLR”) rules. The implementation of the MLR rules have discouraged countless health insurers from spending too much money on operating expenses (or anything other than the payment of claims), and have caused several health insurers to abandon existing markets or refrain from entering others on the ground that only the dominant health insurers have the premium revenue stream(s) needed to bear the operating and overhead costs needed to operate effectively in a post-ACA world. ¹As anyone familiar with the MLR rules understands, those rules financially penalize health insurers that spend too much on operating expenses such as computer systems and software, even if needed to protect sensitive information from intruders. Those familiar with the health insurance industry likewise understand that the MLR rules have had the effect of Balkanizing the individual and small group health insurance markets in various parts of the country, by driving health insurers with comparatively smaller market shares out of those states where they were not able to reach or maintain the revenue level(s) needed to keep their operating expenses and overhead at 15%-20% of revenues (or less). See Public Health Service Act Section 2718, as added by ACA Section 1001. Indeed, it seems entirely possible that in the end, there will be less than 100 data bases where all of the medical and financial information covering virtually all American citizens will be able to be found. ²The data bases in question would consist of those maintained by the 50+ health insurance exchanges, those maintained by federal government agencies (e.g., the Veterans Administration, CMS (Medicare/Medicaid), etc.), and those maintained by approximately 30-40 national and super regional health insurers. The attractiveness of a few, truly large data bases to sophisticated hackers should not be underestimated.

As for what exactly happened at Anthem, it remains too early to know all the details. Perhaps the pressures that the ACA heaped on Anthem (and health insurers in general) made it too difficult for Anthem’s IT team to effectively defend its system, or block intruders. Perhaps a system as large as Anthem’s has too many portals and other access points. Or perhaps Anthem found that the only way to effectively maintain a proper interface with some of the government agency systems and health insurance exchange systems involved in making eligibility determinations was to leave at least the covered individuals’ non-medical data in unencrypted form.

Whatever the reason, Anthem had legitimate reasons for doing what it did and the event cannot be dismissed as an institutional lapse. If that is at all accurate, other health insurers may be doing the same thing, perhaps for the same or similar reasons. Indeed, there seems to be a growing consensus that Anthem will not be the last health insurer to find itself in this predicament. ³See Abelson and Creswell, Data Breach at Anthem May Lead to Others (New York Times; Feb. 6, 2015); and Overlay, Anthem Breach Shows Health Industry in Hacker Crosshairs (Law360; Feb. 6, 2015).

Information Gatekeepers

Just as it would be short-sighted to view the present data breach as solely an “Anthem problem,” it likewise would be short-sighted to view data breaches in the health-care delivery system as just a “health insurer problem.” Why? Because the vast majority of the personal medical and financial information the nation’s health insurers collect is provided to them by employer groups — many or most of which constitute group health plans. And just as HIPAA makes plain that a group health plan (as a “covered entity”) is ultimately responsible for protecting the personal health information that it generates and collects, ERISA makes clear that those acting as fiduciaries for a group health plan are ultimately responsible for protecting the interests of those covered by that plan as participants and beneficiaries.

ERISA, and Plan Fiduciaries

ERISA has a protocol for determining exactly who is responsible for the well-being of a given group health plan’s participants and beneficiaries, and it starts with the governing “plan document.” ERISA requires every employee benefit plan (including a group health plan) to be maintained pursuant to a written plan document, and that document is required to identify those who have (or exercise) decision-making authority over the plan’s administration or handle its assets. ⁴The U.S. Department of Labor has made plain that a plan’s assets include any premiums or contributions that get collected from plan-eligible employees, including COBRA premiums. 29 C.F.R. §2510.3-102 (2014). ERISA also makes clear, by statute, ⁵See ERISA Section 3(21) [29 U.S.C. §1002(21) (2014)]. that those either given that discretionary authority or exercising that discretionary authority are to be considered plan fiduciaries – and it is they who will be held responsible for what happens.

Does ERISA consider it part of a plan fiduciary’s duty to protect participants’ and beneficiaries’ plan records, including any sensitive personal medical and/or financial information that they provide or that gets collected in connection with providing them benefits? According to the U.S. Department of Labor (the “DOL”), the agency with primary responsibility for enforcing ERISA’s provisions (including its fiduciary duty rules), and a recent United States Supreme Court decision which considered squarely the proper way to construe and apply ERISA’s general fiduciary duty rules, the answer plainly is yes.

The obligation to protect a plan’s participants and beneficiaries, and safeguard sensitive information that they have provided or that has been collected about them, draws its essence from ERISA’s much-publicized fiduciary duty rules. Often described as the “the highest known to the law,” ⁶Donovan v. Bierwirth, 680 F.2d 263, 272, n. 8 (2nd Cir. 1982). ERISA’s fiduciary duty rules generally require plan fiduciaries to discharge their duties with respect to a plan solely in the interest of the plan’s participants and beneficiaries, and with the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent individual, acting in a like capacity and familiar with such matters, would use in the conduct of an enterprise of a like character and with like aims, in accordance with the documents and instruments governing the plan insofar as such documents and instruments are consistent with the provisions of ERISA Title I. ⁷ERISA Section 404(a)(1) [29 U.S.C. §1104(a)(1)].

Until recently, the role that the ERISA fiduciary duty rules played in the handling and delivery of employer-provided, health-care coverage was viewed by many as limited, and almost incidental if fully insured coverage was being provided. But the proliferation of self-insured group health plans, and some high profile litigation involving health insurers (and their affiliates) and other service providers found to have engaged in at least undisclosed financial conduct involving plan assets in violation of the ERISA precepts summarized above, ⁸By now it is well understood that a third-party administrator or a health insurer that either handles plan assets or exercises discretion with regard to adjudicating claims (or both) for a private-sector, self-insured group health plan serves as a fiduciary to that plan. E.g., Briscoe v. Fine, 444 F.3d 478 (6th Cir. 2006); Life Care Mgmt. Services, LLC v. Ins. Mgmt. Admin., 703 F.3d 835 (5th Cir. 2013). More recently, an emerging wave of ERISA-based claims have been brought against Blue Cross organizations (most notably, Blue Cross and Blue Shield of Michigan) for imposing “hidden” provider network access fees and surcharges on self-insured group health plans they (or an affiliate) were administering. Hi-Lex Controls, Inc. v. Blue Cross and Blue Shield of Michigan, 751 F.3d 740 (6th Cir. 2014). At present, there are about 30 of these cases, described by some as “fraudulent overbilling” cases; and some studies estimate that about $272 billion in fraudulent overbilling may have occurred. See BNA Pension & Benefits Daily no. 27 (2.10.15), Fraudulent Overbilling Cost $272B in 2014; Health Plans Should Weigh Anti-Fraud Tactics (Wille, J.) 27 PBD, 2/10/15, 42 BPR 320, 2/17/15 have opened the eyes of many within the legal and regulatory communities.

That helps explain why the DOL in 2011, when it sought to provide employers with guidance on how to handle the medical loss ratio rebates being paid by health insurers such as Anthem, stressed in Technical Release No. 2011-04 (December 2, 2011) that many rebates constitute (or, may constitute) plan assets, and that such assets have to be allocated and promptly distributed or otherwise used for the plan-covered employees’ benefit unless the plan document specifically provides otherwise 39 BPR 1584, 8/21/12, 160 PBD, 8/20/12. It also helps to explain why a May 2013 DOL publication, intended to educate private employers about the fiduciary responsibilities they undertake when they sponsor a group health plan, stresses that “a fiduciary’s responsibilities include making sure the plan complies with ERISA, which includes COBRA, HIPAA, and [all] the other group health plan provisions in the law.” ⁹U.S. Department of Labor, Employee Benefits Security Administration, Understanding Your Fiduciary Responsibilities Under a Group Health Plan (May 2013) at p.11 (available at www.dol.gov/ebsa).

Most telling, though, is a recent decision by the United States Supreme Court, which was called upon to decide whether courts construing ERISA’s primary fiduciary duty rules — the duties of prudence, diligence and loyalty — can take into account a plan’s special circumstances when applying those rules to the conduct of that plan’s fiduciaries 123 PBD, 6/26/14, 41 BPR 1360, 7/1/14. In Fifth Third Bancorp v. Dudenhoeffer, 573 U.S. ___, 82 U.S.L.W. 4522 (June 25, 2014), the Supreme Court ruled, 9-0, that they could not. ¹⁰This also helps explain why the DOL now routinely brings suit under ERISA for breach of fiduciary duty, when it encounters an employer that has failed to use the contributions received from current and/or former employees to pay the premiums due under a group policy it obtained 11 PBD, 1/16/15. See, e.g., Perez v. The Children’s Place, Inc., Civ. No. 8:14-cv-03236-JDW-TGW (M.D. Fla.; filed December 30, 2014). When Dudenhoeffer is viewed in combination with the recent influx of so-called “fraudulent overbilling” cases being brought against various Blue Cross and other organizations (see Note 8, above), it becomes easy to conclude that the days when ERISA plan fiduciaries could place blind trust in their health insurers, either to do the “right thing” or to act in the best interests of those covered by their plan, are over. It now has become difficult, and perhaps even untenable, for the fiduciary of a group health plan to react to news that a health insurer has encountered a substantial problem — here, at least the loss of sensitive, unencrypted financial information, and possibly a HIPAA data breach violation — by doing nothing. So what should a prudent ERISA plan fiduciary of a group health plan do?

What To Do

Exactly what a prudent plan fiduciary should do depends on the situation in which it finds itself — and its group health plan. While it might be imprudent to overreact, it would be imprudent to underreact, and it plainly would be imprudent to do nothing.

Anthem’s data breach puts all private-sector group health plans into one of the following five categories:

• Those that currently have an insured group contract with Anthem;
• Those that are self-insured, where Anthem (or an affiliate) administers and pays its claims and provides access to Anthem’s (and other Blue Cross) provider network(s);
• Those that previously had a contract with Anthem (or an affiliate), but don’t currently, whose claims and other information have not been purged from Anthem’s data base;
• Those that currently have an insured group contract with a health insurer or third party administrator other than Anthem (or an Anthem affiliate), where Anthem’s provider network is being accessed (which would include any employer that contracts with any “Blue Cross” insurer); and
• Those that never had a contract with Anthem or any other Blue Cross organization.

Where the Plan is Clearly Affected by the Anthem Breach

A plan fiduciary whose group health plan is either being insured by Anthem or is being administered by Anthem (or an Anthem affiliate) likely has its work cut out for it, but there certainly are things that can be done. Current reports from Anthem make plain that it will take time to learn exactly which records were compromised as a result of the cyber-attack, and which group health plans (if any) were directly affected. While that is getting sorted out, the first steps a plan fiduciary might want to take would be to identify the plan fiduciary tasked with protecting the plan and those covered by the plan, and then to establish a process for monitoring that fiduciary’s progress and keeping plan-covered individuals informed (if need be). If a HIPAA security officer already has been designated and appointed, that individual likely would be the best candidate to fulfill these duties.

Whoever comes to be appointed, that designated fiduciary should be in ongoing contact with Anthem, and should be seeking to obtain blanket assurances — and blanket indemnification — for any damages or losses the plan, or its participants and beneficiaries (either individually, or as a group) incur as a result of the breach, if such assurances and offers of indemnification have not already been volunteered. The designated plan fiduciary also should demand to be kept fully informed as to what steps Anthem is taking, and expects to take, with respect to those covered by the plan, including (but not limited to) any breach notifications Anthem makes.

The designated plan fiduciary also should carefully review the terms of its group health plan (including the fiduciary provisions) and the terms of any and all of the agreements between the plan and Anthem (and its affiliates), including specifically those pertaining to HIPAA and the generation or handling of plan information (e.g., business associate agreements, HITECH agreements, third party administration agreements where applicable, etc.), with a view to determining:

1. Whether all the agreements currently in place and being acted upon have been duly executed and remain in full force and effect (particularly, those pertaining to HIPAA and HITECH);
2. Whether Anthem (or an Anthem affiliate) has the responsibility to discharge any and all breach-related notification obligations the group health plan itself may have as a covered entity;
3. Whether the scope of those agreements covers all the records likely to be maintained as part of Anthem’s data base, including those Anthem now appears to be characterizing as non-HIPAA records;
4. Whether the standard of care to which Anthem is committed is ordinary negligence, or something more lenient and forgiving such as willfulness or bad faith;
5. Whether the scope of indemnification to which Anthem is contractually committed provides the plan and those covered by it with sufficient protection;
6. Whether the plan and its fiduciaries are appropriately protected by errors and omissions coverage (where the plan sponsor has purchased civil liability insurance) from any loss or damage resulting from what just occurred; ¹¹For instance, the HIPAA/HITECH rules provide for the identification of a “privacy officer” and a “security officer.” When it comes to serving as the privacy officer or as the security officer for an ERISA-regulated group health plan, the individuals holding those positions are likely to be seen as fiduciaries of that ERISA plan, due to the authority and responsibility that those individuals would have. It is not always clear whether those individuals are (or should be) covered by the sponsor’s directors’ and officers’ liability insurance policy, by an ERISA fiduciary liability insurance policy, or by both. It pays to resolve any confusion, or ambiguity, in coverage that might exist. and
7. If the plan is self-insured, what actions Anthem plans to take — or not take — in regards to the breach which are different from those actions it may be taking in respect of those individuals covered by an insured plan.

Where the Plan Might be Affected

As noted above, there is a second group of potentially affected group health plans: those plans that receive their coverage through one of the other Blue Cross organizations (or for those plans that are self-insured, those that are being administered by one of the other Blue Cross organizations, or an affiliate), which use the “Blue Cross” provider network to provide goods and services; and those plans that used to do business with Anthem or one of the other Blue Cross organizations but discontinued that relationship.

The fiduciary for a group health plan in this position should at least conduct a preliminary review, and reach out either to the Blue Cross organization with which the plan presently is dealing, or (in the case of a discontinued relationship) to its former insurer or vendor, and seek written assurances that the plan and its data were not implicated or affected by the Anthem breach. Any plan fiduciary unable to obtain such assurances in a reasonable timeframe should assume that its group health plan is affected and should consider taking the steps outlined above for those whose plans clearly are affected.

Going Forward: Steps for All Group Health Plan Fiduciaries

The Anthem data breach in any event serves as a wake-up call to all plan fiduciaries of group health plans because it makes plain that this sort of cyber-attack can and likely will happen again — and that it is at least possible that unencrypted files held by health insurers could again fall into the hands of cyber thieves. The recent discovery, by several fiduciaries of self-insured plans, that a number of health insurers may have been engaged in fraudulent overbilling (see note 8) simply reinforces the view that plan fiduciaries dealing with health insurers cannot simply assume that the health insurer (or, some third party administrator) at all times will be acting in the best interests of its group health plan. Blind trust and faith seldom are rewarded, and never provide an effective defense to a claim that an ERISA plan fiduciary breached its duty.

As such, on a going-forward basis, plan fiduciaries of all group health plans — even those unaffected by the Anthem breach — should consider taking the following steps:

1. Review the agreements currently in place with their health insurers (or where relevant, their third party administrator(s)) and make sure all have been duly executed and are in full force and effect (particularly, those pertaining to HIPAA and HITECH).
2. Review and confirm who has the responsibility to discharge any breach-related notification obligations the group health plan itself may have as a covered entity.
3. Determine whether the scope of the HIPAA/HITECH agreements in place with the plan’s health insurer(s) and third party administrators covers all the records being provided to them or generated by them, to make sure all sensitive records are covered contractually.
4. Request copies of the health insurer’s (and if relevant, third party administrator’s) encryption policies, practices and procedures and review them, or obtain assurances that all plan-related records are being maintained in encrypted form.
5. If the health insurer or third party administrator insists on maintaining certain records without encryption, consider either encrypting all files sent to it or obtaining a written acknowledgment that the insurer or administrator accepts complete responsibility for any losses or damages resulting from its maintaining unencrypted files.
6. Review the standard of care to which the plan’s health insurer or third-party administrator has committed itself, and if necessary, press for the substitution of a higher standard, at least when it comes to data privacy and security.
7. Review all relevant indemnification language to make sure the plan and those covered by it are sufficiently protected.
8. Check to see what (if any) errors and omissions coverage would apply if the sort of data breach that occurred with Anthem were to occur in the future, and affect the plan.

Conclusion

The late Ronald Reagan, when president of the United States and involved in nuclear disarmament talks with the Soviet Union in the 1980s, was asked what policy the United States would follow. He replied by quoting an old Russian proverb: “Doveryai, no proveryai,” which translates into “Trust, but verify.”

At minimum, this is what a fiduciary of an ERISA-regulated group health plan should be doing in response to the reports of the Anthem data breach, because a data breach that purportedly affects 80 million Americans is certain to cast a wide net — one certain to include tens of millions of individuals covered by employer-sponsored group health plans. There are prudent steps a plan fiduciary can take to protect its plan and its plan-covered participants and beneficiaries — and itself in the process. One simply has to take them — and not do nothing.