Tag Archives: Managed Care Companies

CareFirst, Third Major Health Insurer This Year To Be Hit By Cyberattack

On May 20, 2015, CareFirst BlueCross BlueShield (“CareFirst”) announced that it was the latest victim of a major cyberattack, with as many as 1.1 million plan customers affected.  Current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are impacted by this event.

CareFirst said that although the hackers may have acquired customer names, email addresses, birthdates, customer-created user names and subscriber identification numbers, they did not obtain sensitive financial or medical information like Social Security numbers, medical claims, credit card or employment information or passwords associated with the user names.  The company has stated that those affected by the cyberattack will be provided two free years of credit monitoring and identity theft protection.

As an explanation of how CareFirst learned of the breach, Chet Burrell, CareFirst’s chief executive, said that after cyber attacks on other insurers earlier this year, he created a task force to review the company’s information technology systems.  CareFirst then hired Mandiant, a division of FireEye, to perform a forensic review of its systems.  Last month, Mandiant determined a breach had occurred in June 2014 allowing unauthorized access to a single database with the information listed above.

Just hours after the announcement of the breach, class action law firms were already investigating the circumstances of the breach and seeking plaintiffs who may have been affected.  Now that state claims may be brought based on HIPAA as a standard of care, the suits will likely consider potential harm due to the disclosure and whether CareFirst adequately protected the information and provided timely notice.  These are the same types of claims brought in the numerous class action lawsuits after the Anthem cyber-attack in February 2015.

The cyber-attack and pending lawsuits should serve as a reminder for healthcare companies to review and properly implement their HIPAA privacy and security policies and procedures.  For more information on HIPAA, health care compliance or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.

The UPMC – Highmark Dispute: The Beginning of the End of Medical Practices Using Hospitals’ Managed Care Contract Rates?

Recent trends across the country have health systems buying out private physician practices and reclassifying them as hospital-outpatient departments.  There are a number of motivations behind these transactions, the greatest being managed care contracting.  Typically, the physician practice will reassign its Medicare NPI Number to the Hospital and the Hospital will then bill exclusively under that NPI number.  The Hospital will also submit claims to the third party payor and receive payments based on the hospital’s negotiated contract rates and fee schedule.

Critics, including a number of insurers, have claimed that this practice allows the hospital to bill higher rates for the same service at the same location.  For this reason, on February 26, 2014, Highmark, a  Blue Cross Blue Shield company based in Pittsburgh, stated that it would stop reimbursing health systems at higher hospital-outpatient rates for cancer treatment performed in physician offices.  Highmark explained that this move would save patients’ money by reducing out-of-pocket costs for deductibles and co-insurance. Continue reading