Share this article on:
The theft of two laptops from the Newark headquarters of New Jersey’s largest health insurer – Horizon Blue Cross Blue Shield – has potentially resulted in the health data of almost 840,000 individuals being exposed.
The two devices were stolen from its offices on the eighth floor of 3 Penn Plaza at some point over the weekend of 1-3 Nov, 2013. The theft was discovered on Monday Nov 4, when employees returned to work and the theft was immediately reported to the police.
In accordance with the Health Insurance Portability and Accountability Act, Blue Cross Blue Shield had implemented physical controls to secure the two Apple MacBook Pros, which were locked with security cables to employee’s workstations. The cable locks were reported to have been tampered with and had been damaged allowing the laptops to be stolen.
HIPAA also demands healthcare providers implement the appropriate technical safeguards to keep health data secure. While the devices were protected by passwords, they contained unencrypted Protected Health Information which breaches HIPAA Privacy and Security Rules. Passwords are not robust enough to protect healthcare data.
Blue Cross Blue Shield is required to send breach notification letters to all affected individuals under HIPAA regulations, which it is doing “out of an abundance of caution” according to Horizon’s director of public affairs, Tom Rubino.
He also confirmed in a statement that swift action was taken to alert all affected persons, but it was not immediately clear how many people had been affected. There are 3 million subscribers who potentially could have been affected and the configuration of the laptops made it difficult for Horizon to identify how much data could potentially have been accessed. This has now been established and letters have started to be dispatched, although it may take a number of days before all affected individuals receive their breach notifications.
The information contained on the laptops included names, addresses and dates of birth, with a limited amount of health information and some Social Security numbers. Any individual that has potentially had their Social Security number exposed is being offered free credit monitoring services for 12 months.
In 2008, Horizon BCBSNJ notified 300,000 of its members that the theft of a laptop could potentially have exposed some of their healthcare data. The device in question was reportedly programmed to permanently destroy PHI data if it was stolen, although there was no mention in the statement that the same software had been installed on the stolen MacBook Pros.
This second potential breach has prompted Horizon to improve data security and implement a program of data encryption. The staff will also receive further training and data security policies and procedures are to be updated.
The Department of Health and Human Services’ Office for Civil Rights has been notified of the breach along with New Jersey’s Department of Banking and Insurance and Division of Consumer Affairs. The HIPAA breach is likely to spark an investigation by the OCR to determine whether HIPAA violations have occurred.