Case Study

Data Breach
Chaos Control

We’re a trusted legal adviser and partner to one of the world’s largest and most notable health insurance companies. We’re helping them navigate the choppiest waters.

Client Challenge

The compliance team of a large health plan with members in over 40 states fields approximately 300 questions per year from its business team about whether it can do things with health information. Also, through standard audits and extensive employee training, the client routinely learns about minor incidents and occasionally needs to address major security breaches. The client asked: how should the team categorize and assess questions and incidents, and then what? The health plan turned to Jayaram. Good thing – one of the client’s vendors experienced a technically complex phishing incident, with an initially unknown impact on members and data. 

Strategies, Tactics, and Solutions

To ensure the privacy team considers each question and incident consistently and effectively, we collaborated with them to create a six-step assessment tool where the specific circumstances of each incident can be assessed and evaluated in a non-biased way. We developed a consistent set of factors to weigh for each incident so we can identify the most appropriate approach to the situation in a uniform way. We also devised the systematic, multi-branched response approach. 

Using the assessment tool, the privacy team recognized the serious nature of the vendor phishing incident and immediately leaned on us to manage the response. Jayaram worked closely with the vendor’s legal counsel, and security and privacy teams, as well as our client’s Chief Privacy Officer, Chief Information Security Officer, in-house Privacy Counsel, and internal business analytics team. As members identities were discovered, we reviewed approximately 40 state security breach laws. We implemented a notification scheme to manage the various notification timelines and content requirements, including to custom create and first deliver notification letters to members in states requiring notification earlier than HIPAA. Ultimately, we filed breach reports to regulators in nine states and the Department of Health and Human Services. We implemented four different notification templates so our client could notify approximately 1300 members located in 38 states. We also prepared notification letters so our client could notify sponsors of self-funded insurance plans, we confirmed availability of credit monitoring services, we prepared appropriate media releases, confirmed the availability of a toll-free number, and prepared a Frequently Asked Questions document so our client’s customer service team could answer inquiries. 


Favorable Outcomes & Happy Clients

By using a multi-pronged strategy, we were able to shield the company from negative press, which was a concern given the company’s household reputation. Seven months later, the Department of Health and Human Services Office for Civil Rights opened an investigation and sent our client a request for data. Based on our work product, the department closed the investigation and took no action against our client. Then, we obtained prompt and full payment from the vendor for our client of all expenses related to the incident (based on a broad indemnification clause in our client’s contract that we had previously negotiated with the vendor). With the Jayaram-designed assessment tool and procedures, and Jayaram’s triage execution, the client handily navigated turbulent waters. We continue to advise our client on matters both large and small and have deepened our relationship between their dynamic team and our own bench of talent.