The requirements under the HIPAA/HITECH statutes for public disclosure of security breaches of Protected Health Information (“PHI”) has brought to light a remarkably diverse parade of breaches of PHI. It has often encouraged providers and insurers to go well beyond the minimum legally required response as a matter of good business relations.
Courtney Perkes reported in the June 23, 2010 issue of The Orange County Register (“OCR”) that 230,000 Anthem Blue Cross (“Anthem”) customers in California had been sent letters informing them that their personal information might have been accessed during a security breach of the Anthem website. The article pointed out that the recipients of letters were limited to those who were applying for insurance because the potential breach related to the ability of the applicants to track on-line progress of their applications.
Ironically the article further noted that the source of the potential breach was the access of PHI primarily by attorneys seeking information on applications for a putative class action lawsuit against Anthem brought by “a Los Angeles County resident who discovered that her application for insurance was available for public view.” According to the article, Anthem sent out the notices to 230,000 Californians out of an ‘abundance of caution’ because the actual number of files that had been accessed was unclear.
The Anthem matter involves an insurer for which a breach can involve substantial PHI for hundreds of thousands, or even millions, of subscribers. As one person who was quoted in the OCR article stated: ‘There’s not one place that has more information on you than your health insurer. It’s the absolutely most personal level of information all the way down to Social Security numbers. That would be about the last place I would want someone to gain access.’
For its part, like numerous other providers and insurers that have experienced PHI security breaches, Anthem has offered a free year of identity protection service to the recipients of notices. The information that was improperly obtained has apparently been returned by the attorneys to a custodian in the court system.
The public disclosures required by HIPAA/HITECH for security breaches respecting PHI make insurers and providers vulnerable to commercial embarrassment, criticism and loss of reputation that may actually dwarf the legal costs and statutory consequences of the security breach itself. To this end, insurers and providers should act responsibly to avoid security breaches in the first place. If they do occur, prompt, decisive and proactive action is required to maximize damage control and rehabilitate relations with consumers.