Potential legal liabilities from the unprecedented breach of 80 million individuals' records at Indianapolis-based health insurance giant Anthem could entangle nearly 60 insurers from Hawaii to Puerto Rico, legal experts say. More than 50 class-action lawsuits related to the breach already have been filed in less than a month.
The plans could be held legally responsible for the breach under the federal Health Insurance Portability and Accountability Act privacy and security law as well as state laws. They likely also face a rising number of private civil suits, legal experts say.
Anthem, the other Blues plans and the Chicago-based Blue Cross and Blue Shield Association are intertwined by “business associate” agreements signed to facilitate a national, reciprocal claims payment network called BlueCard.
The network is run by the association, which at least partly explains why Anthem, with 37.5 million members, saw more than double that number of individual records purloined. Anthem said that members of other health insurance plans who received care in one of its service areas also saw their data exposed in the breach. Presumably, payment data for those traveling policyholders was processed through the BlueCard network.
The breach, revealed Feb. 4, exposed records of individuals in 14 Anthem plans plus millions more enrollees in 42 non-Anthem Blues plans. For example, CareFirst Blue Cross and Blue Shield, Owings Mills, Md., serves its own members in its home state, the District of Columbia and parts of Virginia, but also, potentially, members of any other plan in the BlueCard network. CareFirst indicated that the records of about 400,000 of its members were compromised.
The primary regulatory liability for companies involved in a data breach is the potential for multiple HIPAA violations. The rule was revised by Congress in 2009 to hold any organization that handles patient information under a “business associates agreement” with a HIPAA “covered entity” equally liable for breaches as the covered entity. HIPAA-covered entities include hospitals, physician practices, claims clearinghouses and health plans. Business associates often include transcription services, data analytics firms or health information exchanges, but also can include one health plan serving another.
HIPAA violations also could be cited in multiple class-action suits, said James Pyles, a privacy lawyer with Powers Piles Sutter and Verville in Washington.