Share this article on:
The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members.
The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan members. While data encryption is not mandatory technical safeguard, it is an addressable issue. Covered entities must therefore consider the use of encryption technologies to protect ePHI at rest and in motion. If data encryption is not chosen, alternative, security measures must be implemented that offer an equivalent level of protection.
Covered entities are required to conduct a comprehensive risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computers are used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of ePHI exposure. Appropriate security controls should therefore be put in place to prevent ePHI exposure in the event that the devices are lost or stolen. Data encryption is one method of securing data, although other controls could equally be used. However, the use of a password on its own is insufficient. Passwords do not offer an equivalent level of protection as data encryption.
In November 2013, two laptop computers were stolen from Horizon BCBSNJ offices. The laptops were password protected but ePHI on the devices was not encrypted and no other technical security controls were used to safeguard the data. The laptop computers were secured to desks with security cables, although the thieves cut through those cables and took the laptops.
Data stored on the devices included names and addresses of policy holders, along with insurance identifiers, birth dates, Some Social Security numbers, and a limited amount of clinical data.
The theft occurred over the course of a weekend when work was being conducted on Horizon BCBSNJ offices. A number of external vendors were provided with unsupervised access to the offices, including the area where the laptops were stored.
This was not the first time that an unencrypted laptop computer containing the ePHI of policyholders was stolen from Horizon BCBSNJ. A laptop computer was stolen from the vehicle of an employee in January 2008. Following that incident, Horizon BCBSNJ changed its policies and started using encryption on all laptop computers used to store ePHI. By May 2008, Horizon BCBSNJ announced that the encryption process had been completed. Training on the use of encryption was also provided to company employees to ensure they were aware of the new security controls.
However, during the course of the Division of Consumer Affairs investigation, it was discovered that more than 100 laptop computers used by Horizon BCBSNJ had no encryption, potentially placing ePHI at risk of exposure. The reason provided for the lack of encryption was the laptops computers were obtained via a non-standard procurement process. As a result, the IT department was unaware that the devices had not been encrypted. The devices were also not subjected to monitoring or servicing, as per corporate policies.
Additionally, the Division of Consumer Affairs investigators determined that the employees who had been issued the two laptop computers were not required to store ePHI, and that doing so violated corporate policies.
The investigators concluded that in addition to violations of HIPAA Privacy and Security Rules, Horizon BCBSNJ had also violated the New Jersey Consumer Fraud Act.
In addition to the $1.1 million fine, Horizon BCBSNJ is required to adopt a robust corrective action plan to ensure compliance with HIPAA/HITECH and the New Jersey Consumer Fraud Act. An external professional must be hired to conduct a comprehensive, organization-wide risk analysis covering all devices and systems used to store or transmit ePHI. That risk analysis must be conducted within 180 days of the settlement date, and annually for the next two years. Reports of the findings of the analysis must be submitted to the Division of Consumer Affairs.
Steve Lee, Director of the Division of Consumer Affairs, said “Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” He also explained that “Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft. This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”