As many as 150 million working Americans are covered by health plans organized under ERISA. Given the scale of health insurance data breaches, there is a high probability that millions of them — and their health plans — will be a victim of fraud and identity theft.
More than 400 million health insurance identities have been breached or compromised since 2021 alone. Yet no breached entity, employer, third-party administrator (TPA) or health insurance carrier has offered any protection against identity theft and fraud against health insurance benefits. This is potentially a large, yet unaddressed risk to plan sponsors and their servicers that benefit brokers and advisers need to help their employer clients guard against.
The absence of protected health information (PHI) contributes to the rise in class-action suits against breached entities. As soon as a health insurance breach is announced, attorneys are soliciting plaintiffs for the victimized class. This has become a rich vein for the class-action bar given that settlements for HIPAA violations have hit up to $25,000 per identity stolen, including the cost of claims and remediation.
Those identities, according to Senator Mark Warner and Experian, are worth north of $1,000 on the underground market. That value reflects the ease with which those identities can be used to file false insurance claims, which damage both the health plan and individual member. The Ponemon Institute estimates the cost of remediation for a stolen healthcare identity at over $13,000 per individual. The unfolding fraud story in Minnesota's Medicaid program demonstrates how identities are used to file false claims.
Obligated to mitigate
ERISA requires plan administrators to act as fiduciaries, which includes protecting the confidentiality and security of participants' health information. While
Responsibilities include implementing securing physical and digital access to PHI,
In the notifications that breached entities send to victims whose identities have been breached, the offered solution is almost exclusively credit monitoring, sometimes accompanied by a service that tells victims that the breached identity is on the dark web. Credit monitoring is necessary but has no relevance to the breach of PHI. It is left unprotected.
Telling someone that their identity is on the dark web may meet emerging notification requirements, but it does not prevent false claims from being paid — starting the costly remediation process.
We have recently seen the second wave of lawsuits naming large benefits brokerages and advisories for not acting in the interests of client companies with regard to voluntary benefit plan commissions. And the regular class-action lawsuits demanding damages from PHI breaches have targeted the entities that have been breached but not plan sponsors whose entire employee roster may have been compromised. The question is, will we see future litigation against plan sponsors that have not sufficiently protected their employees and their health plans from preventable fraud — with or without a breach?
If every
Paul Eckloff, an experienced leader in security, threat assessment and communication, recently noted that what's missing from this equation is a post-breach protection doctrine.
"If PHI or PII is exposed," he wrote, "the obligation shouldn't stop at disclosure. It should extend to actively protecting the person from downstream misuse. Asset protection, identity suppression, transaction controls and monitoring for exploitation, not just access. In other words, cybersecurity needs to evolve from 'did someone get in' to 'can anyone do damage with what they got.' Until that shift happens, we'll keep securing databases while leaving people exposed."
I couldn't agree more — and it's high time that employers and their advisers heed this warning.
