As has now been widely reported, Anthem, Inc. was the unfortunate target of a cyber-attack potentially impacting 80 million current and former customers. Some reports have indicated that the HIPAA breach notification rules will not apply to this breach. However, the information stolen appears to include individually identifiable information, potentially including health plan enrollment information. Enrollment information, in the hands of a health plan, is protected health information (PHI), so it is possible that the HIPAA data breach notification rules are applicable. As such, both insured and self-funded customers utilizing Anthem as their TPA should review information concerning the Anthem breach carefully before concluding that the HIPAA breach notification rules do not apply.
Additionally, given that claims for other Blue Cross Blue Shield customers may have been submitted through Anthem for employees and dependents in an Anthem service area, it is possible that Anthem has information on individuals