HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Insurance Service Office Announces Breach of Social Security Numbers

Insurance Service Office (ISO), a New Jersey provider of property and casualty insurance, has announced its insurance database was inappropriately accessed, resulting in a breach of Protected Health Information (PHI).

ISO has not disclosed the number of individuals affected nor whether access was gained by a hacker or a malicious insider; however it does appear that data was accessed with the intent of using it for criminal purposes.

The database contained highly sensitive information on patients, including details of their health insurance policy, Social Security numbers, and driver’s license numbers. Patient names, dates of birth and contact details were also stored in the database. The information exposed in the HIPAA breach could be used by criminals to steal identities, fraudulently obtain credit and make fake insurance claims.

Breach Notification Delay Requested by Law Enforcement

HIPAA regulations require covered entities to issue breach notifications to affected individuals within 60 days of the discovery of a PHI breach; however patients and federal/state agencies should be notified “without unnecessary delay.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

On occasion, the issuing of breach notification letters and an accompanying announcement of a data breach could potentially jeopardize a police investigation. Law enforcement officers may request a delay to the announcement of a data breach to allow them to conduct an investigation, as was the case with the ISO breach.

ISO reported the matter to law enforcement officers and an investigation was initiated, although at this stage it appears that no arrests have been made. ISO, the National Insurance Crime Bureau, and the County Prosecutors office also conducted investigations into the breach.

Notification letters are now being dispatched to all affected individuals to advise them of the exposure of their data to “unauthorized individuals.” They are also being offered credit monitoring and identity theft protection services for a period of one year, without charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.