Health Insurance Breach Risks: Protecting Employee Welfare

Approximately 150 million American workers are insured through employee benefit plans regulated by the Employee Retirement Income Security Act (ERISA). With the escalating occurrences of health insurance data breaches, there is a substantial risk that many of these individuals and their health plans could become targets of fraud and identity theft.

Since 2021, over 400 million health insurance identities have suffered breaches. Entities affected by these breaches, including employers, third-party administrators, and insurance carriers, have largely not provided protections against identity theft or fraud, presenting an unresolved risk for plan sponsors. Insurance brokers and advisers should prioritize this issue to help their clients mitigate potential threats.

The lack of adequate protection for sensitive health information has led to a surge in class-action lawsuits against breached entities. Legal actions have proliferated following health insurance data breaches, as settlements for Health Insurance Portability and Accountability Act (HIPAA) violations can amount to as much as $25,000 per compromised identity, covering both the cost of claims and necessary remediation.

According to Senator Mark Warner and Experian, stolen identities can sell for over $1,000 each on illicit markets. These details are frequently used for fraudulent insurance claims, harming both health plans and individual plan members. The Ponemon Institute estimates the average cost of remediating a stolen healthcare identity exceeds $13,000 per person. This issue is highlighted by incidents such as the fraudulent claims in Minnesota’s Medicaid program.

Under HIPAA, ERISA plans must implement measures to protect against unauthorized access to and maintain the confidentiality of protected health information (PHI). ERISA assigns plan administrators the duty of fiduciaries, which includes securing participants’ health information. These regulations mandate the safeguarding of both physical and digital PHI and require providing opt-out options for electronic communications.

Both ERISA and HIPAA aim to protect insurance and retirement plans from loss or misuse. The Consolidated Appropriations Act (CAA) of 2021 imposes a legal obligation on employers to responsibly manage their health insurance expenditures. There is potential for legal action if breached identities are not adequately protected from fraud.

Recent litigation has focused on health plans for inadequate oversight of intermediaries. Additionally, an emerging trend shows lawsuits targeting benefits brokers and advisers for not prioritizing client interests concerning benefit plan commissions. As class-action suits targeting PHI breaches mount, the focus has primarily been on breached entities rather than plan sponsors, who may be held accountable if they fail to protect their employees from fraud.