The potential legal liabilities from the unprecedented breach of some 80 million individuals' records at Indianapolis-based insurance giant Anthem could entangle nearly 60 health insurance plans from Hawaii to Puerto Rico, legal experts say. More than 50 class-action lawsuits related to the breach already have been filed in less than a month.
The plans could find themselves held legally responsible for the breach under the federal Health Insurance Portability and Accountability Act privacy and security law as well as state laws. They likely also face a rising number of private civil suits, according to legal experts.
The reason—the legal fates of Anthem, the other Blues plans and the Chicago-based Blue Cross and Blue Shield Association are intertwined by “business associate” agreements signed to facilitate a national, reciprocal claims payment network called BlueCard.
The network is run by the association, which at least partially explains why Anthem, with 37.5 million members, had more than double that number of individuals' records purloined. Anthem has said that policyholders of other plans who received care in one of its service areas had their data exposed in the breach as well. Presumably the payment data for those traveling policyholders was processed through the BlueCard network.
The breach, revealed Feb. 4, exposed records of individuals in 14 Anthem plans plus millions more enrollees of 42 non-Anthem Blues plans from Hawaii to Puerto Rico.
“What you have here with Anthem is just a problem on mega steroids,” said Kenneth Dort, a partner and privacy lawyer with Drinker Biddle & Reith in Chicago. “You have 80 million people spread out across (dozens) of plans.”
CareFirst Blue Cross Blue Shield, Owens Mills, Md., is a case in point. It serves its own members in its home state, the District of Columbia and parts of Virginia, but also, potentially, members of any other plan in the BlueCard network.
In a message posted last Tuesday, CareFirst said its own members “represent a small portion of the overall number of individuals affected by the Anthem breach—around 0.5 percent of the total.” That still works out to about 400,000 CareFirst members whose records were compromised. Had it been a stand-alone breach, it would currently rank as the eighth largest healthcare data hack and the 19th largest breach on the “wall of shame” website, which lists major data loss incidents since 2009. The list is kept by the Office for Civil Rights at HHS.
The primary regulatory liability for companies involved in a breach is the potential for multiple violations of HIPAA. It was revised by Congress in 2009 by amendments in HITECH provisions of the American Recovery and Reinvestment Act, a federal stimulus law. A 2013 “omnibus” privacy and security rule fleshed out those legislative changes.
The rule made any organization that handles patient information under a “business associates agreement” with a HIPAA “covered entity” equally liable for breaches as the covered entity itself.
HIPAA covered entities include hospitals, physician practices, claims clearing houses and health plans. Business associates often are transcription services, data analytics firms or health information exchanges, but can include one health plan serving another.
Before the HITECH Act, Dort explained, “A covered entity had X, Y and Z obligations for privacy and security, but there were not direct obligations on their business associates. They (covered entities) entered into business associate agreements that laid out what their legal obligations were and they typically laid their (HIPAA) obligations onto the business associate.”
“Now, with HITECH, you have those legal obligations applied to the business associates,” Dort said. HITECH also beefed up potential civil penalty limits for HIPAA violations to a maximum of $1.5 million a year.
So, with the Anthem breach, who is the covered entity and who is the business associate? It depends.
Anthem is clearly a covered entity to its own enrolled members, but it was serving as a business associate for the 42 other plans whose members' records were stolen along with its own, according to Anthem's explanation of how the BlueCard program works.
The good news, for Anthem, from a HIPAA standpoint, “It wouldn't make them any more liable than they otherwise would be,” Dort said. “It's not going to compound their exposure.”
But the bottom line is, according to legal experts, Anthem and 42 plans could be held legally responsible for the breach, under HIPAA as well as state laws.
“In the event a business associate had a breach, before as now, the covered entity, the person who has the direct contract with the affected person, they're still on the hook,” Dort said. “The plan is the one providing the service. They're the ones who have to face their own plan members.”
HIPAA violations also could be cited in multiple class-action suits, said James Pyles, a privacy lawyer with Powers Piles Sutter and Verville in Washington. Because HIPAA's privacy and security rules were set after periods of public review and comment, they are often cited as standards of best practice in plaintiffs' cases brought under state statues and common law, he said.
“So you can sue someone on state tort law because the organization failed to comply with HIPAA standards,” Pyles said.
Further, Pyles said, the omnibus rule likened the responsibilities of a covered entity and its business associate to those of a principal and its agent. “Under that general law, if the business associate is doing something that requires the direction and close involvement of the covered entity, then the business associate and the covered entity would have equal liability,” he said. Pyles said he “can't imagine” a circumstance under which a healthcare business associate and a covered entity would not share equal liability.
The Office for Civil Rights at HHS, the chief federal privacy rule enforcement agency, declined to comment on the Anthem case.
In contrast, a posse of state attorneys generals, led by George Jepsen of Connecticut, is being demonstrative about the states' enforcement authorities.
On his office's website, Jepsen has posted letters to Anthem and releases about it, recommending, for example, that the company add a second year of credit monitoring, (One year of coverage has been standard practice in previous breach cases) commending Anthem for doing it, and then warning the insurer that his office's investigation into this breach remains “active and ongoing.”
AGs can bite as well as bark. In 2009, Congress broadened the civil enforcement authority for HIPAA violations to include state attorneys general. Some have since flexed their regulatory muscle.
In 2010, former Connecticut Attorney General Richard Blumenthal was the first state AG to file a civil suit for a healthcare data breach under his new authorities. The case involved a hard disk loaded with 1.5 million individuals' records that was either lost or stolen from a Connecticut office of California-based insurer Health Net. Blumenthal's action resulted in a $250,000 settlement agreement.
Last year, Massachusetts AG Martha Coakley reached a $100,000 settlement agreement with Beth Israel Deaconess Medical Center, Boston, over a breach of nearly 4,000 patient records on a stolen unencrypted laptop computer, in an action brought under both state law and HIPAA.
Anthem has posted to its website all 42 Blues plans whose members have been impacted by the breach.
They are members who used the BlueCard network of the Chicago-based Blue Cross Blue Shield Association and sought care in any of the 14 states where Anthem-owned blues plans do business.
BlueCard “enables members of one Blue Cross and Blue Shield Plan to obtain healthcare services while traveling or living in another Blue Cross and Blue Shield plan's service area,” according to Anthem. “(T)he program links participating healthcare providers with the independent Blue Cross and Blue Shield plans across the country and in more than 200 countries and territories worldwide.”
In a statement on its web site, CareFirst explained, that when a member is treated out of its service area, his or her claims are sent by the provider to the local Blues plan, and then to their own plan.
“This process ensures that your claim is processed based on your personal benefit plan, while receiving the discounts agreed upon between the provider and the Blue Cross Blue Shield company that received it while you were living or traveling outside of your Blue Cross Blue Shield company's coverage area,” the CareFirst statement said.
CareFirst declined to comment about its legal liabilities under the breach.
According to Anthem spokeswoman Kristin Binns, HIPAA-mandated business associate agreements are part of each plan's license agreement with the Blue Cross Blue Shield Association. These agreements “must cover all interactions” between the various blues plans, she said.
Under the BlueCard operation, plans that enroll members are called “home plans” while plans that serve another plan's members are called “host plans,” Binns said. “Host plans are considered business associates of home plans and there are business associates agreements in place to reflect that relationship for purposes of HIPAA compliance,” she said.
In an emailed statement, BCBSA said it is a business associate under its licensing agreement with its member plans. Whether it has a shared responsibility under HIPAA for the breach remains to be seen.
“Right now, the FBI, federal and state regulatory authorities and Anthem's own internal teams are investigating what happened and its potential impact,” it said.
Members of the plaintiff's bar quickly filed a host of class-action lawsuits on behalf of affected patients/plan members.
“Our count right now is 53 cases,” said Lynn Toops, a lawyer with the Indianapolis firm of Cohen & Malad, which filed a federal suit on behalf of Anthem member Karen Meadows and others in Indiana's Southern District.
For now, their causes of action are breach of contract and negligence, Toops said, but, “We're still developing theories.”
“We have serious concerns about the vast amount of data that Anthem is storing about not even it's own insured,” Toops said. “Why is that data being retained and being retained in an unencrypted fashion?”
Whether the 42 plans, as covered entities, are liable for the activities of their business associate, Anthem, is “a very interesting point,” she said. “We're not ruling out any avenues or defendants in this case.”
Consolidation of the cases will likely occur this summer, she said.
Follow Joseph Conn on Twitter: @MHJConn