HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Computer Theft Exposes Data of 560 ABCBS Applicants

Arkansas Blue Cross and Blue Shield (ABCBS) – Arkansas’s largest provider of health insurance – has reported the theft of a laptop computer containing the unencrypted data of 560 insurance applicants.

An independent insurance agency – Treat Insurance Agency (TIA) – suffered a burglary at its Little Rock, Ark. offices on June 16. The perpetrators stole two computers which contained data of ABCNS applicants. Those individuals had applied for health insurance through TIA between October 1, 2012 and June 16, 2015.

The exposed data includes the “personal information” of applicants. The exact information exposed has not been announced; however victims will be informed by post if they have been affected together with details of the information has potentially been exposed. A helpline has also been set up for concerned members and applicants to find out more information.

Arkansas Blue Cross and Blue Shield Computers Not Affected

The data breach did not affect the ABCBS computer network or any of its equipment. Data exposure was limited to the information held by the TIA. The break-in and theft of equipment was been reported to law enforcement, although no suspects have been arrested so far and the equipment has not been recovered.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

There has been no indication that any data has been used for malicious purposes, neither have any instances of identity fraud been reported. However, ABCBS is not taking any chances and has offered all affected individuals a year of credit monitoring services without charge according to a THV11 breach report.

The services include a policy to cover reimbursement for any losses suffered as a result identity theft, along with credit restoration services. Individuals under the age of 18, who are particularly vulnerable to identity theft and credit fraud, are being offered additional protections.

Senior VP of ABCBS, Ron DeBerry, announced additional protections will be put in place in the wake of the data breach to ensure similar incidents are prevented from occurring in the future. He said, “To reduce the risks that any similar thefts might affect our valuable customers, we will request independent insurance agents to protect their computer records by using encryption technology on all computers storing any applications for Arkansas Blue Cross.”

Unfortunately, break-ins cannot always be prevented, even with the most robust of security protections. However, it is possible to limit the damage caused by issuing breach notification letters promptly, and alerting plan members to the elevated risk of suffering identity theft and fraud.

In this case, the breach occurred mid-June, and notification letters and credit monitoring services are being issued less than a month later, four weeks inside the 60-day HIPAA deadline.

It may not be possible to un-expose data, but a prompt breach response can reduce the damage caused and goes a long way towards reassuring patients and plan members that privacy is treated seriously.

Computer Theft Could Affect Other Health Plan Members

According to Databreaches.net, it is highly probable that members of other health plans – and health insurance applicants – may also have been affected by the theft. Treat Insurance Agency does not just offer ABCNS plans to its clients.

Any individual who has recently signed up for health insurance with TIA, or has made an application through the agency, should obtain a free credit report from each of the three credit monitoring bureaus as a precaution.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.