Recent cyberattacks, not the least of which is the Equifax breach, affords a good occasion to consider the importance of identity protection and protection of personal information, not just in health plans arena, but in all benefit plans, and, in fact, for all employment purposes. While the HIPAA administrative simplification rules provide a specific set of governance that must be followed by covered entities, including health plans, the matters are equally important for other benefit plans. 

The U. S. Attorney Office for the Southern District of Indiana recently announced sentencing of a woman for crimes involving bankruptcy fraud, perjury, wire fraud and aggravated identity theft.  In this case, the woman fraudulently transferred money from her husband’s 401(k) account into her own personal bank accounts, made multiple calls to the 401(k) service center purporting to be her husband to secure a hardship withdrawal, as well as took loans from the account, all without her husband’s consent, knowledge, or authorization.  She was sentenced to five years imprisonment and ordered to pay $112,354 in restitution

Finally, it is a matter of fiduciary responsibility to ensure that the personal identifiable information of all plan participants is protected.  Plan sponsors should obtain assurance that their record keepers and third party administrators have security measures in place to guard against cyberattacks and potential fraudulent activity.  Another best practice is to communicate to plan participants the importance protecting their information by ensuring that passwords are kept secure and not shared. Disposal of paper information containing personal identifiable information should always be shredded.

The information contained in this article is provided as general guidance and may be affected by changes in law or regulation. This article is not intended to replace or substitute for accounting or other professional advice. Please consult a CBIZ professional. This information is provided as-is with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.