Tag Archives: HIPAA

Do the HIPAA Privacy and Security Rules Apply to My Organization?

November 27, 2018


This article is the second in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA) apply to various legal entities. Part One addressed Covered Entities and appeared in our October 2018 newsletter. This article addresses Business Associates of Covered Entities that are self-insured group health plans.[1]

Quick Recap

Covered Entities are the key stakeholders in the delivery and payment of health care, but they frequently partner with other organizations for assistance. Many of these organizations will need to come into contact with Protected Health Information (PHI) to assist the Covered Entity. Remember, PHI is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

What’s a Business Associate?

In the group health plan context, HIPAA defines a Business Associate as a third party that requires PHI to perform some function or service on behalf of a group health plan. In other words, a third party that helps make your health plan go but needs PHI to do it. The third party might create, receive, store, or transmit[2] the PHI in this role, but it must be “PHI sticky” in at least one of those ways to be considered a Business Associate. Many of HIPAA’s Privacy and Security requirements apply directly to Business Associates.

Typical Business Associates for a Self-Insured Group Health Plan



Maybe So

  • Third party administrator (TPA) including pharmacy benefit manager
  • COBRA administrator (more about this below)
  • Broker/consulting firm
  • Actuaries
  • Record keepers (e.g. Iron Mountain or other third parties storing physical electronic records with PHI)
  • Other cloud service providers such as Google if Gmail is used as the email system
  • Plan sponsor/employer
  • Stop-loss carrier (more about this below)


  • External legal counsel
  • Accountants if will see PHI in connection with an audit or review





COBRA Administrators
If a COBRA administrator merely receives enrollment and disenrollment information from the employer (as plan sponsor), the information it receives is not PHI and the COBRA administrator is not technically a Business Associate of the group health plan. The nature and source of the information provided is easily blurred between the employer and group health plan, and it’s common for COBRA administrators to agree to be treated as Business Associates.

The Curious Case of Stop-Loss
The Rules indicate that stop-loss carriers are not Business Associates of a group health plan when the stop-loss policy insures the plan itself. The Rules are less clear about the more likely scenario where the stop-loss policy insures the employer/plan sponsor directly.  In practice, stop-loss carriers are often reluctant to be treated as Business Associates and are frequently excluded.  We recommend employers enter into robust non-disclosure agreements with stop-loss carriers not treated as Business Associates.

Business Associate Contracts

Your organization’s group health plan is required to enter into a contractual agreement with all of your Business Associates outlining how the Business Associate may use and disclose PHI, how it will secure PHI, and other rights and obligations the parties have under the Rules.[3] The Department of Health and Human Services (DHHS) has provided sample  business associate contract language. Among other items, the contract must include language addressing the parties’ responsibilities when unsecured PHI is improperly used or disclosed (a “breach”). Your organization has a limited amount of time to investigate and respond to a breach.

As a practical matter, it is the employer (as plan sponsor) who must secure the contract for all of the plan’s Business Associates, but Business Associates will often supply their version of this contract to the employer without being prompted. It is in each party’s best business interest to use a standardized contract for administrative ease rather than having to honor the commitments of contracts from different sources, so there is a natural tension between the parties who each favor their own contracts. The requirements for a Business Associate contract are pretty standard, but it is not unusual for the contract to be more favorable toward the drafting party or to include additional contractual terms beyond what the Rules require, so it is important to have this reviewed by your legal counsel.

Sometimes Business Associates contract with other organizations to perform one or more functions the Business Associate was hired to perform for the group health plan (“subcontractors” who are also PHI sticky), and there is no direct relationship between the health plan and the subcontractor. Your Business Associate must represent in the Business Associate contract that they have with your organization that it has a contract in place with its subcontractor that provides for all of the same protections under the Rules with respect to any PHI related to your health plan.

Example – A self-insured medical plan engages a TPA for claims administration and other services. One of these services is claims monitoring to reduce fraud, waste, and abuse.  The claims monitoring services are actually provided by a subsidiary of the TPA, and the medical plan does not have a direct contract with the claims monitoring subsidiary. The TPA is a Business Associate of the medical plan. The claims monitoring entity is a Business Associate of the TPA and should be addressed as a subcontractor within the Business Associate contract between the medical plan and the TPA.

Next Steps

You should always know who your Business Associates are and should make sure you have a list of all the current vendors who provide services related to your health plans. Of these vendors, which ones use PHI to perform a function on behalf of a group health plan?

These are your Business Associates, and you should maintain current Business Associate contracts with all of them. Don’t forget to make this an implementation step when adding a new vendor who will be a Business Associate to your health plan(s).

[1] In Part One, we addressed that insurance carriers are the Covered Entities for fully-insured group health plans and that employers/plan sponsors generally have few obligations under the Rules for those plans.

[2] A third party that only transmits PHI without accessing or storing it may qualify for an exception as a mere conduit of the information.

[3] A failure to enter into the contract does not mean the third party is not your Business Associate and just subjects you to potential penalties for non-compliance.

Continue reading...

Do the HIPAA Privacy and Security Rules Apply to My Organization?

October 22, 2018


This article is the first in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA with one P and two As, always) apply to various legal entities. This article addresses Covered Entities. Part two will address Business Associates.

What’s a Covered Entity?

There are three types of Covered Entities under the Rules. We’ll describe all three below, although the remainder of this article focuses on the Rules as they relate to employer-provided group health plans.

  1. Health care providers that engage in certain types of electronic transactions – Health care providers generally include what you’d expect, such as hospitals, clinics, pharmacies, nursing homes, health care practices, individual health care professionals, etc.To be a Covered Entity, the health care provider has to engage in certain types of electronic transactions including determinations of eligibility, billing, payment, and the coordination of benefits. Even in the rare instance that a health care provider is not subject to the Rules, other federal and state law likely affects how the provider may access or use personal health information.
  2. Health care clearinghouses – These have nothing to do with sweepstakes prizes and usually operate invisibly in the background as a go-between health care providers and health plans. A health care clearinghouse receives health information from an entity and processes the health information into a format usable by another entity. The best example we can give you occurs when a health care provider transmits billing information to a third party, the third party reprices the claims and formats the information into a new data set, and transmits the data set to a third party administrator or insurance carrier enabling it to process and pay the claims. The third party repricing and formatting the billing information in this example is a health care clearinghouse.
  3. Health plans – A health plan is a plan that provides or pays for the cost of medical care. Simple, right?

Group Health Plans

There are many types of benefits that involve personal health information. A plan is only a Covered Entity under the Rules if it is a health plan that provides or pays for the cost of medical care. Covered Entity status transforms a lot of personal health information that may be held or used by or on behalf of the health plan into Protected Health Information.[1]

In a nutshell, Protected Health Information (PHI) is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

We’re focusing on employer-provided group health plans and will provide an overview of their obligations under “Group Health Plan Responsibilities Under the Rules” below.

Is it a Group Health Plan?



Maybe So

  • Medical
  • Prescription drug
  • Dental
  • Vision
  • Health FSAs
  • HRAs
  • EAPs (if not just a referral service)
  • AD&D
  • Business travel accident
  • Leave administration (e.g. FMLA)
  • Life
  • Stop-loss
  • Workers’ Compensation insurance
  • Onsite clinics
  • Long-term care
  • Wellness programs


[1] Even though a benefit plan may not be subject to the Rules, personal information created or used by the plan may still be protected under other federal or state law.  For example, leave administration and disability insurance are not generally subject to the Rules, but limitations under the Americans with Disabilities Act or other laws may apply.

A group health plan is exempt from the Rules if it covers less than 50 current and/or former employees and is self-administered by the employer without the assistance of a third party administrator or insurance carrier. This is hard to meet, but some small health flexible spending account (health FSA) or health reimbursement arrangement (HRA) plans may qualify.

Unlike ERISA, the Rules contain no exception for church or governmental plans.

What Did You Mean by “Maybe So?”

  • Onsite clinics – This feels like a trick. At first glance, you’d think an employer-provided onsite clinic might be a Covered Entity both as a health care provider and as a group health plan, but what seems obvious isn’t necessarily so.First, an onsite clinic might be operated in such a way that it doesn’t engage in any of the electronic transactions that would cause it to be a Covered Entity as a health care provider.  As a precaution, we recommend an employer seek the assistance of legal counsel before taking the position the Rules do not apply to its onsite clinic. Again, even though the Rules may not apply, personal information may still be protected by other federal or state law. Second, an onsite clinic that merely provides first aid-type services is not a health plan at all under the Rules. Third, an odd exception under the Rules seems to exclude onsite clinics that are health plans, even when the onsite clinic is integrated into other group health plan coverage (but see “It’s a bird, it’s a plane” below).
  • Long-term care – A long-term care policy is a group health plan unless it is limited to nursing home fixed indemnity coverage.
  • Wellness programs – Wellness programs can include programs that include medical care (e.g. biometric screenings and targeted health coaching) and those that do not (e.g. general education and activity challenges). If a wellness program does not include any medical care services, it is not subject to the Rules. In many instances, a wellness program will include both medical care and non-medical care services and/or be integrated into an employer’s medical plan (please see “It’s a bird, it’s a plane” below).

Does Self-Insured vs. Fully-Insured Matter?

It must, or we wouldn’t have a section addressing it, right? If a group health plan is self-insured, it is generally subject to all of the compliance obligations under the Rules. If a group health plan is fully-insured, many of the compliance obligations under the Rules belong to the insurance carrier if the plan (through its plan sponsor acting on the plan’s behalf) is “hands off” PHI.

  • “Hands Off” PHI – The plan sponsor does not create or receive PHI other than enrollment/disenrollment information or summary health information for the purposes of obtaining premium bids or modifying, amending, or terminating the plan. Many fully-insured group health plans qualify as “hands off” PHI.We can hear the howls of protest, but self-insured group health plans cannot qualify for “hands off” PHI relief under the Rules no matter how little the plan sponsor may be involved with their administration.
  • “Hands On” PHI – This applies if the plan sponsor is not “hands off” PHI and can access or receive specific information about claims information or payment.

We will provide an overview of the responsibilities for self-insured group health plans and fully-insured plans that are “hands off” or “hands on” PHI under “Group Health Plan Responsibilities Under the Rules” below.

It’s a Bird, it’s a Plane…

Sometimes, a legal entity may include parts that are subject to the Rules and others that are not. The Rules refer to this as a “hybrid entity” and examples include:

  • A welfare benefit “wrap plan” that incorporates both medical and non-medical care benefits such as medical, dental, vision, group term life, accidental death & dismemberment, business travel accident, and long-term disability benefits;
  • A standalone wellness program that includes both medical and non-medical care benefits such as biometric screenings, targeted health and nutritional counseling, general education, and step and/or healthy eating challenges; and
  • A Walgreen’s or CVS store that includes a pharmacy.

Left as is, the entire “hybrid entity” must comply with the Rules. However, the Rules allow a “hybrid entity” to separate itself for compliance purposes by designating which parts make up the Covered Entity and which do not. The Rules appear to only require this designation in the Covered Entity’s HIPAA Privacy and Security policies and procedures, but it wouldn’t be the worst idea ever to also include this in the corresponding plan document.[2]

Group Health Plan Responsibilities Under the Rules

A plan/plan sponsor can generally reduce its liability by limiting its contact with PHI. Many of the responsibilities in this section can be delegated to third parties, but the plan remains responsible for compliance with the Rules.

[2] The plan document will need to include certain HIPAA Privacy and Security language anyway, and the designation can go there.

Self-Insured Group Health Plan
and Fully-Insured Group Health Plan that is “Hands On” PHI[3]

  • €Appoint a HIPAA Privacy and Security officer (they can be different people in your organization)
  • €Identify the Covered Entity workforce (people in your organization that work with PHI to help administer your plan)
  • €Address all the administrative, physical and technological standards of the Security Rule
  • €Draft HIPAA Privacy and Security policies and procedures indicating how the plan complies with the Rules
  • €Train your Covered Entity workforce on your policies to safeguard PHI
  • €Identify all the plan’s Business Associates and enter into Business Associate Agreements with them
  • €Maintain a notice of privacy practices and distribute as required
  • €Create procedures to investigate potential breaches and address breach notification requirements
  • €Create a complaint process and designate a complaint contact
  • €Maintain processes for requesting restrictions, confidential communications and amendments to health information
  • €Amend plan document to comply with certain HIPAA Privacy and Security Rule requirements


Fully-Insured Group Health Plan that is “Hands Off” PHI

The plan may not:

  • Intimidate or retaliate against participants who exercise their rights under the Rules; or
  • €Require participants to waive their rights under the Rules
  • The plan has to comply with a limited number of safeguards under the Security Rule:[4]
  • €Appoint a HIPAA Security officer
  • €Perform a periodic risk analysis (this will document all PHI is in the hands of third parties such as the insurance carrier or a business associate and not the plan/plan sponsor)
  • €Document that the risk management procedures for PHI used by the insurance carrier are adopted by the plan and that the plan requires no additional measures to reduce risk
  • €Identify all the plan’s Business Associates, if any, and enter into Business Associate Agreements that comply with the HIPAA Security Rule requirements
  • €Amend plan document to comply with certain HIPAA Security Rule requirements

[3] We realize these are generally overlooked and likely present little risk.

[4] From a compliance perspective, the differences between the two types of plan are minor.

Continue reading...

Dynamic Insurance, Cyber Security, and the Internet of Things

August 4, 2017


The internet of things is advancing rapidly, and frankly so is insurance. We can assure you that the heated debates in congress and confusing jargon won’t be going away anytime soon. In fact, it will probably get a lot more complicated, but insurance companies have their analytics department to lean on in these times of chaos. The world around us is more connected now than ever before and this gives us more accurate data to look forward to. Let’s start with drones. The rising use of drones will present both opportunities and risks for many industries. We have seen this technology become a natural part of many markets. For example, filming a scene that requires aerial view becomes a lot less expensive with a drone, and inspecting the exterior of buildings becomes a lot less dangerous when the life of an employee is not at risk. According to the U.S. Bureau of Labor, 38.8% of total deaths in construction occur from falls in just one calendar year. Falls are the number one cause of death in the construction industry and the third largest cause of death across all industries (Drones Create Safety). A $1,000 piece of equipment becomes priceless when it can transfer the risk of a life. But who is responsible for the misuse of a drone, and is there liability coverage for your commercial drone? This article will address how innovative technologies can improve current industries or potentially disrupt them and what role insurance companies will play in the near future.

Do we really want more healthcare data?

Wellness technology is advancing rapidly with untapped data. Not long ago, insurance companies started compiling data on teenage drivers. Soon enough they found a strong correlation between a student’s grades, and their likelihood to get in an accident. Of course, grades do not depict how well you can drive, but a strong correlation can help save the insurer a lot of money. Soon came the “good student” discount. If you can provide proof that your teenage driver will get grades above the threshold that the carrier believes has a statistical impact on the amount of accidents the insured will experience, you can save some money. Because of the historical data, companies can now better underwrite their clients and the insured is awarded with a discount and another reason to nag their kids about grades. The good student discount isn’t the only way insurance companies use correlation data. They also use it to responsibly insure smokers. The insurer can better predict their client’s health issues based on employee lifestyles (Tech-Enabled). Insurance companies have been adapting to data since the inception of insurance. Even recent policy such as the Affordable Care Act, is still making major changes to the health insurance market.

Correlation is everywhere. The law of large numbers explains that the more information on the consumer side, the more accurate the underwriting becomes. Obviously, client wellness and the data behind it is very important to insurance companies. Fitbit started out in 2007 as a small group of people with an idea of a fashionable activity-tracking bracelet. Now, Fitbit is publicly traded on the New York Stock Exchange, selling over 22.3 million devices in the past year with reported revenue of $574 million (Fitbit Reports). Not only did Fitbit just go international with Vector Watch UK Limited, but they also acquired FitStar Labs, a private company that develops software applications for games, social networking platforms, and mobile devices. Fitbit has quickly gone from an interesting concept, to a full-blown technology powerhouse collecting very sensitive data.

With all the recent advances in wellness data and wearable technology, getting the data to companies that want it is probably just a few lawsuits and a small acquisition away. Who stores and can obtain this information is being questioned more every day. According to the HuffingtonPost, prosecutors obtained data from Chris Bucchere’s activity bracelet to prove that he was speeding before his accident. Bucchere was convicted with a felony for vehicular manslaughter (Weinstein, Mark). While many argue a breach of policy, others are taking advantage of the information while they can. For example, John Hancock Life Insurance Company is offering their clients a 15% discount if they permit their Apple Watch to monitor their activities (IoT Insurance). Data like this has the potential to disrupt consumer information in many industries, especially current healthcare data. It is important to keep in mind that access to personal data is a topic that is already highly controversial and debated in the litigation community. Innovations like smart watches and activity bracelets can increase the accuracy of current data and lower consumer cost, but these advances in wellness technology need to be monitored for their disruptive nature and potential for abuse.

My car can now drive itself, should I switch insurance providers?

Ford, Chevy, Volkswagen, Buick, and Honda are all reputable household names making major moves towards autonomous vehicles. Even Teslas are quickly becoming more affordable as recent innovations in self-driving technology are leading to rapid industry expansion. The Insurance Institute for highway Safety is anticipating about 3.5 million self-driving vehicles by 2025, and 4.5 million by 2030 (Self-Driving). Recent improvements such as the rear-view monitor, blind spot sensors, and self-parking technology are being integrated into the factory design of many popular cars. These improvements in design and safety have led to a lower fatality rate. “The likelihood of a driver dying in a crash of a late model vehicle fell by more than a third over three years, and nine car models had zero fatalities per million registered vehicles,” (Insurance Institute for highway Safety). There is no question that our ability to prevent crashes will greatly reduce the number of fatal accidents. What is unclear, however, is how liability laws might evolve to insure autonomous vehicle technology. Insurers will have to determine how to underwrite policies where accident medical bills are lower than ever, while replacing vehicle cost may be higher than usual. It may also become common to see a higher percentage of product liability claims as the insured blame the suppliers for mistakes made on the car’s behalf and fight for subrogation. Need for liability coverage will become more important. As suggested by the 2014 RAND study on autonomous vehicles, “…product liability might incorporate the concept of a cost-benefit analysis to mitigate the cost to manufacturers of claims.” This could relieve pressure on the healthcare and disability cost related to automobile claims.

As of right now, there are basically two types of liability systems. There is the no-fault concept in some states, while in others liability is based on the tort system. The arrival of self-driving cars will have an impact on policy, but for now there isn’t much of a direction. Will the systems align to be more uniform, or will the states pass on the torch to the federal government asking them to play a larger role? The more that car manufacturers are blamed, the more likely we are to see the federal government getting involved. RAND Corporation did a study of the benefits of self-driving vehicles in 2016 and concluded that personal liability will decrease while manufacturer liability is likely to increase (Self-Driving). Car manufacturers are starting to look more like computer manufacturers. Patrick Lin, a writer for Forbes, believes that with this shift in technology, “…hard ethical decisions in programming and new product liability cases will surely challenge law and disrupt the insurance industry…” (No Self-Driving).

Smart cars, what’s next smart homes?

Companies like Vivint and The SOHO Shop are bringing the future closer by integrating smart home technology. The SOHO Shop, founded in St. Charles Missouri, was created with the idea of a trusted and reliable home/commercial automation. Their products range from automated shades and central VAC, to industrial building automation, IT, security and video surveillance. These companies are bringing their software and skills to individual homes along with bigger living areas like retirement communities. Introducing products such as intelligent window and door monitors can make people living alone feel safer. They also offer products that can monitor oven temperatures, water use, bed, chair, and bathroom usage for those living by themselves that may need assisted care. This technology is helping keep patients with medical need comfortable and safe, but what does this mean for insuring the modern home?

The insurer, American Family, has a model home where they are testing out the automated features such as water and temperature sensors. These sensors prevent leaks and notify homeowners before a pipe burst or an appliance malfunctions causing damage. Data from these sensors may eventually be used to profile some customers as being more/less likely to let small disasters occur. American Family and USAA are both exploring this technology. State Farm and Liberty Mutual both offer discounts on your home policy if you decide to begin transforming your home into a smart home (Home Automation Giant). The federal government has already started designing a functional way to access utility data. The Green Button Initiative is a nonprofit project that allows businesses and homeowners to access their energy use data in an industry standardized format (The Green Button). This initiative was a response to a 2012 White House call-to-action to provide utility customers with easy and secure access to their information (Giving Consumers Access).

Senior Managing Director, at Accenture, Jogn Cusano claims that turning customers’ homes into data hotspots will increase the risk of data breaches. Cusano believes that underwriting will change to reflect the new risk of cyber-attacks (Why Insurance Companies). Only time will tell if insurers will save enough by preventing leaks to make up costs from ransomware.

We have drones and reinsurance, what can possibly go wrong?

Being ahead of the game means taking the proper precautions to keep changing technology from disrupting your business. While we now have the ability to lock office doors without relying on the janitor, and send flying robots to do our dangerous jobs, we are also becoming more vulnerable to cyber-attacks than ever before. According to The State of SMB Cybersecurity Report, “…a staggering 50 percent of small and midsized organizations reported suffering at least one cyberattack in the last 12 months…” (State of Cybersecurity). A cyber-attack on a large company can ruin their reputation, but a cyber-attack on a small business or a household can cause detrimental financial damage. The worst part is that many people don’t know what to do about it: “52% of organizations that suffered successful cyber-attacks in 2016 aren’t making any changes to their security in 2017” (Barkly Blog). Companies need to find innovative ways to address this. Limited access and cut ties are a great place to start. No one person in the company should have access to everything. There should also be fewer passwords and more identity verification requirements. If someone knows your email, what city you live in, and your birthday, it is not difficult to gain access to one of your online accounts (banking, social media, email, etc.…), which will only make it easier to gain access to the rest of your accounts.

On May 17th 2017, the House of Representatives passed the Modernizing Government Technology Act (115th Congress). This legislation will allow the federal government to improve and replace existing information technology systems to strengthen cyber security. Not only does this affect individuals but it is also a national problem. A study performed by the Ponemon Institute in June of 2016 shows that the average cost per stolen record is $158 (2016 Cost of Data). Multiple government agencies have been breached, releasing vital information about government employees and programs. In a recent preventative measure, the Department of Homeland Security decided to increase its Federal Cybersecurity programs by expanding EINSTEIN and Continuous Diagnostics and Mitigation programs. In Missouri, these laws are interpreted to require that any company notify every individual that is affected by a cyber breach and must offer one year of credit monitoring for the individuals.

What is your company doing? In today’s world, multi-factor authentication is a must. It simply adds another layer of security by texting a code to your mobile device after you sign in with a password. Many companies have created software like the Google Authenticator app that gives you a randomly generated code. This generated code regenerates every ten seconds, adding another level of security. Every company should also have a policy in place to deal with cyber-attacks when they occur, along with a way for employees to report any problems anonymously. According to a study done by Pricewaterhouse Coopers, “the most widely used advanced-authentication technologies are hardware and software tokens, followed by biometrics such as fingerprint and iris scanners” (Global State of). Smartphone tokens are becoming more popular due to security compromises of business phones and work tablets. If a password-less authentication is the route you wish to go, your organization may want to rethink your approach to identity management. Most important is an intuitive process for the end user. PwC recommends the IAM, Identity and Access Management, a web service by Amazon Web Services that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization). Although products like Google Cloud IAM and AWS IAM are not a replacement to Active Directory or OpenLDAP, they are becoming a necessary add-on.

Cyber Insurance is a special product that addresses the emerging coverage gaps in traditional insurance policies that result from our increased use of technology and reliance on the risk that comes with storing sensitive data. Cyber perils range from network outage, data theft, and even cyber extortion demands. Although you may not think it is necessary yet, a paper released from the R Street Technology Policy Fellow Anne Hobson, argues that it’s in the governments best interest to hold vendors and contractors that do business with the federal government, financially responsible for any cybersecurity issues on their part that costs U.S. taxpayers (Aligning Cybersecurity Incentives).

Old industries tend to lag in financial technology. “67% of risk professionals are not aware of their organization having processes and procedures in place to trigger a risk assessment of a modern technology before it is actually used. And more than half of the correspondents said their company had not undertaken risk assessments around disruptive technologies (technology innovation).

Blockchain technology is almost here.

On July 24th of 2017, innovative leaders from across the states got together at Washington University in St. Louis to talk tech. The topic was trade and everyone was talking about how blockchain technology can revolutionize supply trade management. Brigid McDermott from IBM was on stage explaining how inefficient and unprotected most supply chains are. She explained how every company, every port, and every person along a supply chain has a unique way of recording and securing a transaction which leaves too much room for corruption. “Less than 0.5% of all data is ever analyzed and over $130 billion is spent on bid data and business analytics globally.” Supply chains being inefficient and expensive, seemed to be the theme. “Blockchain creates the trust necessary to address the end-to-end process,” she exclaimed. Being able to sort through a common ledger would save supply chains millions. Next in line was Soumak Chatterjee from Deloitte, who explained that a blockchain based system not only beats any other centralized ledger with its ability to authorize, and audit transactions, but excels in many fundamental security aspects. Next up was Kate Lybarger from Monsanto. Then was Farron Blanc from RGA to talk on blockchain in the Insurance world. But it wasn’t until Nick Williamson from Qad.re brought out a demo of his software that could be used as a decentralized ledger for shipping warehouses. He showed the audience how this blockchain based software could read, compile, and organize data from thousands of shipping containers with extreme accuracy. The goal is to stop fraud, counterfeit prescriptions to be exact, and Nick is going to do it with the support of smart contracts on the blockchain.

In the past month, Promoting Good Cyber Hygiene Act of 2017, a piece of cybersecurity legislation, was introduced into congress. This legislation would mandate the National Institute of Standards and Technology (NIST), the Federal Trade Commissions (FTC), and the Department of Homeland Security (DHS) to outline the steps necessary to establish baseline practices for good cyber security. A couple year back the National Cybersecurity Protection Act of 2014 became law to direct the goals of the DHS and stakeholders. This law pushed the private sector to provide incident response and cybersecurity information with public entities to enhance overall security. Reluctance from companies to share their security analysis lead to the Promoting Good Cyber Act. This highlights, regardless of location or industry, nine critical updates:

Critical Updates:

  • Old or unpatched networks
  • Quarterly cyber security training
  • Multifactor authentication
  • Regular backups
  • Extra security with older systems
  • Cloud or blockchain migrations
  • Detection and prevention system analysis
  • Manage service providers
  • Cyber insurance

These updates are mandatory with expanding connectivity. People often overestimate how much popular companies really know. For example, Wired released a video of two hackers remotely disabling a Jeep and killing the engine while it was on the highway. Not many understand that the computers in our cars are connected to the internet. Even recently Toyota has turned to MIT’s blockchain experts to explore possible systems for safer autonomous vehicles (Toyota Tech).

Advances in technology are great for our society in many ways. We can expect to see fewer accidents, greater connectivity, and more wireless freedom. We have already seen great reduction in fatal accidents including falls and car crashes. While the Internet of things is expanding our abilities, it also carries a wake of disrupting characteristics and unpredictable events. Last year the Department of Homeland Security met to discuss interest in forming a cybersecurity data repository to better understand and visualize emerging cyber incidents. (National Protection) A secure repository would help collect and aggregate cyber incident information, acting as a reliable source for the cyber risk community. Disruptive technologies have a big influence on the way industries form and collapse and properly analyzing the data is important, but lagging regulation often prevents swift movements in the right direction. Although cyber risk is still a foreign territory for many, it is important to stay progressive through these changing times. Creating a more robust and efficient cyber insurance market has the potential to strengthen current industries by greatly reduce the number of cyber-attacks and steering clear of the many societal threats our nation has already faced.

About the Author

Brandon Bradshaw: Analytics Intern attending Missouri State University pursuing a Computer Information Systems degree. Plans to continue his education in the Management and Information technology Department Cybersecurity Graduate Program.

Works Cited

Castro, Daniel, and Henry Sherwin. “Giving Consumers Access to Water Data Promotes Smarter Use.” Brink – The Edge of Risk. N.p., 24 Sept. 2015. Web. 17 July 2017.
Comstock, Jonah. “PwC: 1 in 5 Americans Owns a Wearable, 1 in 10 Wears Them Daily.” MobiHealthNews. PwC Study, Mobihealthnews Article, 21 Oct. 2014. Web. 26 July 2017.
Coopers, Pricewaterhouse. “Global State of Information Security Survey 2017.” Toward New Possibilities in Threat Management, 2017, pp. 8–10., www.pwc.com/gx/en/issues/cyber-security/information-security-survey/assets/gsiss-report-cybersecurity-privacy-possibilities.pdf.
“2016 Cost of Data Breach Study: Global Analysis.” 2016 Cost of Data Breach Study: Global Study. Ponemon Institute & IBM, 17 June 2016. Web. 21 July 2017.
CyberAvengers*, The. “Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity.” Brink – The Edge of Risk. N.p., 11 July 2017. Web. 17 July 2017.
Danzon, Patricia M., and Mark V. Pauly. “Insurance and New Technology: From Hospital to Drugstore.” Health Affairs Org. N.p., 2001. Web. 17 July 2017.
“FACT SHEET: Cybersecurity National Action Plan.” National Archives and Records Administration. National Archives and Records Administration, n.d. Web. 17 July 2017.
Famakinwa, Joyce. “Drones Create Safety Opportunities, Raise Privacy Concerns.” Businessinsurance.com. N.p., 31 May 2017. Web.
“Fitbit Reports $574M Q416 and $2.17B FY16 Revenue, Sells 6.5M Devices in Q416 and 22.3M Devices in FY16.” Fitbit, Inc. N.p., n.d. Web. 18 July 2017.
Gale, Melissa. “Technology Innovation Is Disrupting Risk Management.” Brink – The Edge of Risk. Brink The Edge of Risk, 26 June 2017. Web. 17 July 2017.
Gammons, Brianna. “6 Must-Know Cybersecurity Statistics for 2017 | Barkly Blog.” Barkly Endpoint Security Blog. N.p., n.d. Web. 17 July 2017.
Gautham. “It Is Time for the English Insurance Sector to Adopt Blockchain Tech?” SafeShare Insurance. N.p., 18 May 2016. Web. 17 July 2017.
Gertrude Chavez-Dreyfuss. “Toyota, Tech Firms Explore Blockchain for Driverless Cars.” Reuters, Thomson Reuters, 22 May 2017, www.reuters.com/article/toyota-selfdriving-blockchain-idUSL1N1IO178.
“The Green Button – the Standardized Way to Get Your Energy Usage Data.” The Green Button – the Standardized Way to Get Your Energy Usage Data. N.p., n.d. Web. 17 July 2017.
Higginbotham, Stacey. “Why Insurance Companies Want to Subsidize Your Smart Home.” MIT Technology Review. MIT Technology Review, 12 Oct. 2016. Web. 17 July 2017.
Hurd, Will. “H.R.2227 – 115th Congress (2017-2018): MGT Act.” Congress.gov. N.p., 18 May 2017. Web. 17 July 2017.
Institute, Ponemon. “Introduction.” 2016 State of Cyber Security in Small & Medium-Sized Businesses, doi:Sponsored by Keeper Security.
Laycox, Sandy. “Tech-enabled transparency is a major step in regaining control of healthcare costs.” Medical Exam pg 45, Leader’s Edge Magazine June 2017.
Lin, Patrick. “No, Self-Driving Cars Won’t Kill the Insurance Industry.” Forbes, Forbes Magazine, 25 Apr. 2016, www.forbes.com/sites/patricklin/2016/04/25/self-driving-cars-wont-kill-insurance-industry/#774d5c45746f.
Meola, Andrew. “IoT Insurance: Trends in Home, Life & Auto Insurance Industries.” Business Insider, Business Insider, 20 Dec. 2016, www.businessinsider.com/internet-of-things-insurance-home-life-auto-trends-2016-10.
Miller, Ron. “IBM Unveils Blockchain as a Service Based on Open Source Hyperledger Fabric technology.” TechCrunch. TechCrunch, 19 Mar. 2017. Web. 17 July 2017.
“Missouri Data Breach Laws: Notification Requirements.” TechInsurance. BIN Insurance Holdings, LLC, n.d. Web. 26 July 2017.
“National Protection and Programs Directorate; National Protection and Programs Directorate Seeks Comments on Cyber Incident Data Repository White Papers.” Federal Register. N.p., 28 Mar. 2016. Web. 17 July 2017.
Rader, Russ. “Death Rates Fall as Vehicles Improve.” IIHS, Status Report, Vol. 50, No. 1, 29 Jan. 2015, www.iihs.org/iihs/sr/statusreport/article/50/1/1.
Ralph, Oliver. “AIG Sets up Blockchain Policy for Standard Chartered.” Financial Times. N.p., 15 June 2017. Web. 17 July 2017.
Rorke, Catrina, et al. “Aligning Cybersecurity Incentives in an Interconnected World | R Street.” R Street Institute | R Street, R Street, 16 Feb. 2017, www.rstreet.org/policy-study/aligning-cybersecurity-incentives-in-an-interconnected-world/.
“Self-Driving Cars and Insurance.” Insurance Information Institute. N.p., July 2016. Web. 17 July 2017. http://www.iii.org/issue-update/self-driving-cars-and-insurance.
Shabat, Matthew. “National Protection and Programs Directorate; National Protection and Programs Directorate Seeks Comments on Cyber Incident Data Repository White Papers.” Federal Register, Department of Homeland Security, 28 Mar. 2016, www.federalregister.gov/documents/2016/03/28/2016-06856/national-protection-and-programs-directorate-national-protection-and-programs-directorate-seeks.
Vivint. “Home Automation Giant Vivint Partners with Liberty Mutual Insurance to Offer Its Customers Savings on Auto and Home Insurance.” PR Newswire: News Distribution, Targeting and Monitoring, PRNewswire, 3 Aug. 2017, www.prnewswire.com/news-releases/home-automation-giant-vivint-partners-with-liberty-mutual-insurance-to-offer-its-customers-savings-on-auto-and-home-insurance-234214571.html.
Weinstein, Mark. “What Your Fitbit Doesn’t Want You to Know.” The Huffington Post, TheHuffingtonPost.com, 21 Dec. 2015, www.huffingtonpost.com/mark-weinstein/what-your-fitbit-doesnt-w_b_8851664.html.


Continue reading...

Electronic Medical Records in 2016 – A Success Story

August 19, 2016


It’s been three years since we posted “Update 2013-Electronic Medical Records-What’s next?”. Back in 2013, Electronic Medical Records (EMRs) were a relatively new technology most health care providers were working to adjust to.  Since then a great deal of progress has been made in getting doctors and hospital to adopt this new system of recording the health information of their patients.

As mentioned in our previous article, the Federal government began investing over $31 billion in 2011 in the form of incentives payments to physicians and hospital to spur the move toward using Electronic Medical Records. Today almost every hospital and about 75% of physicians have implemented EMRs.  And although the use of EMR systems has become prevalent, physicians still continue to complain about having to use them.

Earlier this year at the Healthcare Information and Management Systems Society Convention, Dr. Karen DeSalvo, National Coordinator for the Health Information Technology at the Department of Health and Human Services, announced more work is now needed to reform our health care delivery system so that we can begin to reap the most value from that investment.

Three year goals were established in January 2015 in the form of a draft interoperability roadmap, Connecting Health and Care for the Nation. Progress has been made in connecting networks in both private enterprise solutions and public health exchanges.

Dr. DeSalvo mentioned two mobile apps are still needed. One will be used by consumers while the second will be for clinicians.  These apps will enhance interoperability of EMR systems at a cost of $175,000 each.  Development of “an open resource” website is also needed which will make it easier for developers to publish apps.

These initiatives are reflective of the need for EMR systems to make the lives of health care providers simpler instead of more complex. And to give patients improved access to their medical information and a better way to communicate with their doctors.

Key trends continuing in 2016 according to an article published in Healthcare IT News include the following:

  • Cloud-based EMR services which will reduce the costs of implementation and updating of EMR systems.
  • Improved patient portals with additional features allowing a heightened level of access and patient recording of health information.
  • Growth of telehealth estimated to hit over $30 billion by the end of the decade. The expansion of this service is expected to mesh well with the growing senior population.
  • Mobile friendly EMR systems that allowing providers to untether from a computer screen.

Opening the avenues of access to health information also increases the risk of a data breach. The hacking of personal medical information holds great potential in the quest by the unscrupulous for identify theft and other cybercrimes.  Data security is of utmost importance especially when accessing through mobile devices or other cloud based services.  It is vital for systems to maintain the utmost level of cybersecurity during implementation and as updates are made for additional features.

In summary, a great deal of progress has been achieved in EMRs in the past several years. Enhancements and improvements being implemented today and in the near future will further solidify this technology into our health care delivery system. The ultimate payoff will be improved patient care and reduced cost of health care.

Continue reading...

The Facts About HIPAA Audits

May 2, 2016


There’s been a lot of buzz about the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR) gearing up for another round of HIPAA audits. The audits are not intended to be witch-hunts, despite how they are often portrayed. But they are also not anything to dismiss. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to impose privacy and security requirements and improve portability of health coverage. Most people are familiar with HIPAA because of special enrollment rights, or the security rules surrounding Protected Health Information (PHI), which is protected by HIPAA.

The OCR completed Phase 1 of their audit program back in 2011-2012. That round of audits focused solely on covered entities. Covered entities are health care clearinghouses, health care providers and health plans like those employers offer. Self-insured employers can be covered entities if they offer a self-funded plan.

Phase 2 began earlier this year. Phase 2 encompasses not only covered entities but also their business associates.The OCR has begun contacting covered entities and their business associates to verify contact information and place these entities in a pool of potential auditees. However, not everyone who has been contacted by the OCR will be selected for an audit.  The OCR estimated it will select approximately 350 covered entities out of a pool of 550-800.  Fortunately, the OCR has outlined its process for contacting and selecting business associates for an audit

The Audit Process

The first step employers can take to prepare is to check their inboxes and spam filters regularly. The OCR will communicate via email and unresponsive parties will still be entered into the audit pool.  The next step is to wait for a letter confirming your selection for auditing.  The OCR will send out an initial request letter to inform covered entities and business associates that they have been chosen for an audit and will request various documents and data.  Responsible individuals will have 10 days within receipt to respond to the email and provide any documents or data requested.

The OCR will give auditees the chance to explain any potential discrepancies. The auditor will provide draft findings nearing the conclusion of their audit. Auditees have 10 business days to review and return written comments as necessary. The final report is due within 30 business days after auditee’s response.

Again, the OCR intends for these audits to help them understand the difficulties entities face in complying with HIPAA. They also want to help these entities improve their HIPAA compliance. Yet if they do find serious HIPAA concerns or breaches, they may launch an in-depth compliance review. Serious breaches may trigger monetary, civil and/or criminal penalties of varying degrees. Even though there’s no guarantee that your group will be selected, employers should consider some basic preparation.

Preparing for an Audit

There is a vast array of documents the OCR could request from an auditee. Companies should make sure they have easy access to all important documents should they be selected for an audit and prepare any documents they do not currently have in place. Some of the documents the OCR may request include:

  • Most recent Risk Analysis
  • Entity-wide Security Plan
  • Risk Management Plan
  • Network penetration testing policy and procedure
  • Encryption measures implemented on systems that store, transmit, or access e-PHI (electronic PHI)
  • List of members responsible for HIPAA compliance
  • Proof of HIPAA training
  • Disaster recovery plan tests and results.

This is not an exhaustive list, but a good starting point for any company. Being prepared will ease the audit process and hopefully provide an extra dose of confidence to companies working with the OCR.

Continue reading...

Another Insurance Carrier Data Breach

March 25, 2015


Premera Blue Cross Blue Shield, a health insurance company in operating primarily in Alaska, Oregon and Washington, announced this week it discovered a data breach of its system.  Premera said it discovered the breach on January 29, 2015, the same date of the Anthem data breach, but just announced the breach to the public on March 17, 2015, the date it began mailing legally-required notices to affected individuals.  By contrast, Anthem informed the media of its breach on February 13.  Some have speculated that the two cyber-attacks may be related, but nothing has been confirmed at this point.  Premera is assisting the FBI’s investigation into the attack.

Premera announced that a wide range of data was compromised as part of a “sophisticated cyberattack.”  That data includes names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, member IDs, bank account information, and claims information.

Any Premera members, applicants or business partners could be affected, dating back to 2002.  Additionally, any Blue Cross Blue Shield plan member who used their “Blue Card” to receive medical treatment in Washington or Alaska since 2002 could be affected.

Like Anthem, Premera is offering two years of free credit monitoring and identify theft protection services to all affected individuals.  For additional information, see Premera’s data breach website at www.premeraupdate.com.

Continue reading...

Preparing for the ICD-10 Transition

March 10, 2015


As the October 1, 2015 deadline quickly approaches, health care providers, payers, clearinghouses, and billing services are in the final stages of transitioning from ICD-9 to ICD-10.  ICD is the abbreviated term for “International Classification of Diseases” and 10 representing the tenth revision. ICD Codes identify the diagnosis on the billing; ICD-9 codes uses 3 to 5 numeric digits and ICD -10 coding will use 3 to 7 digits and will report diagnoses in all clinical settings.

With the numeric coding changes comes the expansion of the current 14,000 available diagnosis codes to more than 67,000 and procedure codes from 13,000 to 85,000.  This highly complex system will provide a level of detail to claims processing that is complete, accurate, up to date and intended to save claim costs on improperly coded submissions. Eventually the transition implementation cost to health care providers, payers, clearinghouses and billing services will be translated back to consumers.

Widely accepted and used in the United States, the ICD-9 coding structure has limited the ability to properly identify the diagnosis trends, public health needs, epidemic outbreaks, and bioterrorism events.  Because of the ability to classify diseases and related health problems over 25 countries are currently using ICD-10.

The US belongs to the World Health Organization which requires notification of all events that constitute a public health emergency of international concern. Adoption of ICD-10 facilitates detection, verification and appropriate responses to epidemic-prone and emerging disease threats, comparisons of quality of care and sharing of best practices on a global level.

To meet the Health Insurance Portability and Accountability Act (HIPAA) requirements a code set had to, meet the needs of the health data standards user community and be consistent and uniform with other HIPAA standards.  ICD-10 meets the standards that will enhance accurate payment for services rendered, improve quality of care and documentation, and will identify diagnoses and procedures precisely, including the ability to accurately compare data worldwide.  All services rendered on or after October 1, 2015 must be coded using ICD-10, services on or after October 1, 2015 with ICD-9 will be considered as non- compliant transactions.

Transition to ICD-10 codes will provide fewer rejected claims, improved benchmarking data, including identifying abusive or fraudulent reimbursement submissions, and providing consumers with data on cost and outcome of treatment options. The final intent is to enhance business due to lower cost in premiums, and increase customer confidence from the improved development of strategies to prevent illness and injuries.

Continue reading...

Cyber Liability Policies and the Anthem Breach

February 19, 2015


In light of the most recent high profile data breach with Anthem, it is probably a good time to revisit the Cyber Liability policy and what implications for coverage there may be. Let’s consider a hypothetical manufacturer, ABC Company, which carries Cyber Liability and uses Anthem for their health plan (it does not matter if it is fully-funded or self-funded). After the breach, the executives at ABC Company will be trying to decide if they are liable in any capacity.

In order to understand this, we need to understand who sustained the loss. In a vast majority of Cyber Liability policies, the loss must occur on the insured’s computer network. Travelers defines this as a “computer system rented by, owned by, leased by, licensed to, or under the direct operational control, of the insured organization”. The Anthem breach occurred on the Anthem computer system and not that of their clients (such as ABC Company). As such, Anthem has been very vocal that they are responsible for the expenses associated with notification and communication. They are also picking up the credit monitoring for up to 2 years (as opposed to the normal 1 year stated in most insurance agreements).

Does this mean that ABC Company should move on without worrying about reporting this potential loss to their carriers? NO! With regard to all Executive Risk policies like Cyber Liability, it is better to take a cautious, even conservative, approach and report anything that may arise to a claim. With the legal environment around data breaches being relatively young, it is hard to anticipate when and if a lawsuit will be filed – and in this case, against whom. Depending on the type of loss and circumstances, there is the potential for coverage under the Director’s & Officer’s Liability, Employment Practices Liability, or even Professional Liability. Many carriers have added small or incidental limits to help with claims for negligence or wrongful acts on these non-Cyber lines.

The other reason to report potential losses, even if you are unsure if they could become a claim, is to avoid penalties or declinations for late reporting. Many carriers have wording within the insurance contract limiting the timeline in which a claim can be reported. Even if something didn’t seem like a claim when it first occurred, it is important to report that incident to avoid any confusion. Carriers generally see this as a favorable risk mitigation practice and won’t penalize their client for being proactive.

At minimum, these types of high profile breaches should be a good reason to have a conversation with your broker. Use it to develop an understanding of the exposure and the products available as they are changing all the time. Electronic theft is not going to decrease, but rather continue to increase exponentially. As it does, mitigating the risk will become a larger and larger part of your insurance program and more importantly, how you approach your business.

Continue reading...

Anthem Cyber Attack Update – Employer Response to Anthem Breach

February 16, 2015


As Anthem continues its investigation into the cyber-attack on its systems, many employers are wondering how they and their employees are affected and what steps they should take to protect themselves.

Although Anthem has not yet determined the extent of the breach and which individual’s information has been compromised, it has disclosed that all lines of  business were impacted including Anthem Blue Cross and Blue Shield plans in Missouri as well as the HealthLink network. In addition, Blue Cross/Blue Shield members in other states may have been affected since information is shared amongst BCBS affiliates using its national network.

Anthem has indicated that personal information including current and past members going back to 2004 may have been accessed during the incident. This information includes: names, birthdays, addresses, employment information, member ID numbers, and Social Security numbers. No credit card, banking or other client payment information was believed  to have been involved.

Even though as of this time it is not believed that medical claims information was involved, HIPAA’s Privacy and Security rules protect any individually identifiable health information associated with a health plan.

Anthem will be providing all required regulatory and member notices as a result of the breach. This includes its own obligations for fully insured clients as well as the responsibilities of self-funded plan sponsors using ASO services or one of the affected networks. HIPAA regulations do permit these obligations  to be contractually delegated to business associates, so notices issued by Anthem will not need to be duplicated by the employer.

In any event, employers will still want to take steps to ensure that employees are protected as much as possible.  Although Anthem will be sending notifications to affected individuals (within the next two weeks), employers may wish to be proactive in communicating information about the incident to employees and encouraging them to contact Anthem with specific questions and concerns as well as taking advantage of two years of credit monitoring and identity theft protection services being offered by Anthem for all current and past members who have been enrolled since 2004.  Employees should also be warned against potential scams being conducted by telephone asking for personal information or email with outside links.

Anthem has established a dedicated website (www.AnthemFacts.com) and toll-free telephone number (1.877.263.7995) for questions regarding the incident and the status of Anthem’s response. Anthem will also be holding a town hall meeting webinar to address specific employer concerns:

Click here to register for the Employer Town Hall Meeting

Date:     Tuesday, February 17, 2015

Times:   3:30 pm to 5:00 pm Eastern Time 2:30 pm to 4:00 pm Central Time 1:30 pm to 3:00 pm Mountain Time 12:30pm to 2:00 pm Pacific Time


Continue reading...

Anthem releases updated Cyber Attack FAQ document

February 11, 2015


Anthem has received many questions regarding the Cyber Attack against Anthem.  Please find attached an updated FAQ document which provides answers to many of these questions.

Anthem continues their efforts to address all of the questions submitted regarding the Cyber Attack and will provide updates as they become available.

Anyone with questions is encouraged to visit www.anthemfacts.com or call 1-877-263-7995.

Continue reading...

Exchange Cyber Leak Stopped

February 11, 2015


Healthcare.gov was involved in scandal earlier this year as reports arose saying the website was sending private information to third parties.  The information leaked was personal health information that mistakenly became part of the URL that third parties had access to.   Inside the URL was the age, smoking status, pregnancy status, parental status, zip code, state and annual income of the individual on healthcare.gov. The URL was created when customers used the Window Shopping tool to estimate their coverage cost.  When a consumer got their results, it created a URL that included the data entered in the calculator that third parties could see even if the “Do Not Track” feature was activated.  These third parties can be companies like Doubleclick which matches personal data collected from sites to your online presence and creates detailed and targeted ads.  For example, if you are pregnant the ads can be pregnancy-centered.

Other risks include a cyber-attacker compromising healthcare.gov via a third-party resource and using that information for nefarious purposes.  However, there is no indication that this has happened and no alarm has been raised by the government about a significant risk.

In fact, the Department of Health and Human Services (HHS) already added another layer of encryption to the website to help security.  The information embedded in the URL is no longer there and new encryption limits the personal information available to third-party companies.  The HHS will continue to monitor online security and take steps as needed to protect customers.

Continue reading...

Email Scammers Targeting Anthem Members

February 8, 2015


Anthem members who may have been impacted by the recent cyber attack should be aware of scam email campaigns targeting current and former members. These scams, designed to capture personal information (known as “phishing”) are designed to appear as if they are from a health plan and the emails include a “click here” link for credit monitoring. These emails are NOT from Anthem.

DO NOT click on any links in email.
DO NOT reply to the email or reach out to the senders in any way.
DO NOT supply any information on the website that may open, if you clicked on a link in email.
DO NOT open any attachments that arrive with email.

Anthem is not not calling members regarding the cyber attack and is not asking for credit card information or social security numbers over the phone.

This outreach is from scam artists who are trying to trick consumers into sharing personal data. There is no indication that the scam email campaigns are being conducted by those that committed the cyber attack, or that the information accessed in the attack is being used by the scammers.

Anthem will contact current and former members via mail delivered by the U.S. Postal Service about the cyber attack with specific information on how to enroll in credit monitoring. Affected members will receive free credit monitoring and ID protection services.

For more guidance on recognizing scam email, please visit the FTC Website.

Anthem has created a dedicated website – www.AnthemFacts.com – where everyone can access information such as frequently asked questions and answers.

Continue reading...