The Anthem Healthcare Data Breach: What It Means

February 10, 2015
Ike Devji, JD

When it comes to asset protection many physicians mistakenly focus only on medical malpractice risk. Recent news reports illustrate other serious risks.

When it comes to asset protection many physicians mistakenly focus only on medical malpractice risk. Recent news reports illustrate other serious risks.

80 million Anthem patient records exposed

I've previously provided basic computer security tips as well as a look at the high level of liability medical practices bear in the event of a patient data breach in past columns. If you have not made a substantive professional review of your health IT security, including staff training and a review of your insurance coverage, consider this a final warning: You are living on borrowed time as medical practices are prime targets for cyber criminals. In case you've somehow missed seeing the news, the Internet or any other media the last few days, Anthem healthcare was hacked, probably through phishing attacks on five of its own employees, that compromised as many as 80 million patient records over the last 45 days.

According to a USA Today news report issued late Sunday evening, the Anthem hack is the nation's largest healthcare breach to date and lawsuits have already been filed in at least four states including Indiana, California (no surprise there), Georgia, and Alabama. The report further states that, "The suits allege that Anthem did not take adequate and reasonable measures to ensure its data systems were protected and that the 80 million Anthem customers whose information may have been affected could be harmed."

Captive insurance companies added to IRS "Dirty Dozen List"

The use of captive insurance companies (CICs) by medical practices is increasingly commonplace. There are good and bad ways to use them, and in my previous four-part series I explored many of the issues, facts, and patterns that make CICs work. Some of the primary cautions I shared were the common tendency of both doctors and their advisers to abuse the tax benefits of the captive insurance company by failing to maintain a legitimate business purpose for what they insure; the amount doctors were paying in premiums; and areas the CIC invested in. Sure enough, the IRS has caught on in a major way, including CICs in an IRS press release  on the 2015 Dirty Dozen List:

"Another abuse involving a legitimate tax structure involves certain small or 'micro' captive insurance companies. Tax law allows businesses to create 'captive' insurance companies to enable those businesses to protect against certain risks. The insured claims deductions under the tax code for premiums paid for the insurance policies while the premiums end up with the captive insurance company owned by the same owners of the insured or family members.

"In the abusive structure, unscrupulous promoters persuade closely held entities to participate in this scheme by assisting entities to create captive insurance companies onshore or offshore, drafting organizational documents and preparing initial filings to state insurance authorities and the IRS. The promoters assist with creating and 'selling' to the entities often times poorly drafted 'insurance' binders and policies to cover ordinary business risks or esoteric, implausible risks for exorbitant 'premiums,' while maintaining their economical commercial coverage with traditional insurers.

"Total amounts of annual premiums often equal the amount of deductions business entities need to reduce income for the year; or, for a wealthy entity, total premiums amount to $1.2 million annually to take full advantage of the Code provision. Underwriting and actuarial substantiation for the insurance premiums paid are either missing or insufficient. The promoters manage the entities' captive insurance companies year after year for hefty fees, assisting taxpayers unsophisticated in insurance to continue the charade."

If you have a CIC that falls into this pattern you may want to immediately review these issues with outside counsel including both a CPA and a qualified attorney. If you are in the process of creating or funding a CIC, make sure you review the issues I covered in the link on this above, and are asking the right due-diligence questions. The use of large amounts of life insurance inside the captive, especially in its early years, is a most-basic red flag.

Next week I'll take a look at two other painful lessons we can take from the news: Why Bruce Jenner's car accident and Mariah Carey's domestic employee lawsuit are closer to your family and your money than you think.