Earlier this year, a cyberattack against a major healthcare claims processing provider had an unprecedented impact on patients and healthcare providers across the country. Although group health plans were not directly targeted in the attack, the scale of the incident serves as an important wake-up call for plan sponsors and fiduciaries to step up their cybersecurity efforts. When you think about healthcare data security, the first law that comes to mind might be HIPAA. But ERISA also comes into play because of its rules regarding plan fiduciaries. Here’s an overview of this costly cyberattack and what you need to know about your cybersecurity responsibilities as a plan sponsor or fiduciary under ERISA.
Changing cyber attacks in healthcare
On February 21, cybercriminals accessed Change Healthcare’s computer systems, encrypting critical IT data and claiming to have stolen six terabytes of sensitive information, including personal information and medical records. The attack caused Change Healthcare to shut down its systems, paralyzing hospital and pharmacy systems, claims authorization, billing and payment systems across the country. It was arguably the most significant healthcare cybersecurity disruption in U.S. history.
UnitedHealth Group, parent company of Change Healthcare, paid a $22 million ransom to cybercriminals to mitigate the risk of exposing stolen medical data, and paid an additional $3.3 billion to affected healthcare providers. These losses do not include the forensic, incident and legal costs it needed to respond to the attack. In its first quarter 2024 report, UnitedHealth Group reported a loss of $872 million for “adverse effects from cyberattacks.”
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on March 13 that it has launched an investigation into the Change Healthcare attack. OCR oversees and enforces the privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which apply to “covered entities” such as health care providers, clearinghouses, and health insurance plans, and their business associates.
OCR said it is not prioritizing health plans and other covered entities affected by the attack in its investigations, but it reminded covered entities of their “regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notifications to HHS and affected individuals are made as required by HIPAA regulations.”
Beyond HIPAA: How ERISA Impacts Healthcare Fiduciaries’ Cybersecurity Liability
While OCR requires health insurance plans and other covered entities to comply with HIPAA, most employer-sponsored group health insurance plans must also comply with the Employee Retirement Income Security Act (ERISA). This Insight focuses on ERISA rules, but both HIPAA and ERISA can have a bearing on a plan’s cybersecurity practices, as summarized below.
HIPAA
HIPAA requires covered entities, such as health plans, to appoint a privacy officer and a security officer to develop and enforce the plan’s HIPAA-compliant policies and procedures. The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to protect electronic personal health information. As mentioned above, OCR (part of HHS) enforces the HIPAA Rule. OCR’s cybersecurity guidance materials can be found here.
Elisa
Under ERISA, anyone who exercises discretionary or administrative powers under a plan is an ERISA fiduciary. A fiduciary may include the employer sponsoring the plan (especially if the plan is wholly or partially self-funded) and certain other individuals, such as the plan’s trustees and administrators. ERISA requires fiduciaries to prudently administer group health insurance plans while acting solely in the best interests of plan participants and beneficiaries, which may include mitigating cybersecurity risks. ERISA is enforced by the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL). Below, we discuss the DOL’s cybersecurity guidance.
Potential Duplicates
Note that a plan’s HIPAA privacy or security officer can also be an ERISA fiduciary if he or she exercises sufficient discretion with respect to the plan. However, under current guidance, status as a HIPAA privacy or security officer is subject to: Automatically Create ERISA fiduciary status.
DOL Cybersecurity Guidance for Plan Sponsors and Trustees
In 2021, the DOL issued cybersecurity guidance aimed at ERISA-regulated plan sponsors and fiduciaries, as well as plan participants and beneficiaries. Initially, this non-binding guidance was targeted at ERISA-governed retirement plans, but the DOL subsequently stated that it also applies to ERISA-governed group health plans.
Under this guidance, ERISA fiduciaries must take appropriate precautions to mitigate cybersecurity risks, and therefore, ERISA fiduciaries (including HIPAA privacy and security officers who serve as ERISA fiduciaries) have a legal responsibility to notify plan participants and their beneficiaries of a cybersecurity breach as soon as they become aware of the attack, mitigating potential damages.
What should you do?
If your company sponsors an ERISA-compliant health insurance plan, strongly consider adopting the DOL’s cybersecurity program best practices to mitigate cybersecurity risks and help your company withstand a DOL investigation if an attack occurs. The DOL originally developed this guidance with retirement plans in mind, so it may need to be tailored to the specific needs of your health insurance plan.
Work with your legal counsel to ensure you meet any fiduciary duties you (the plan sponsor), your employees, or your third-party service providers may have. Keep in mind that you may have additional cybersecurity obligations under HIPAA or other federal, state, or local laws.