Share this article on:
Insurance Service Office (ISO), a New Jersey provider of property and casualty insurance, has announced its insurance database was inappropriately accessed, resulting in a breach of Protected Health Information (PHI).
ISO has not disclosed the number of individuals affected nor whether access was gained by a hacker or a malicious insider; however it does appear that data was accessed with the intent of using it for criminal purposes.
The database contained highly sensitive information on patients, including details of their health insurance policy, Social Security numbers, and driver’s license numbers. Patient names, dates of birth and contact details were also stored in the database. The information exposed in the HIPAA breach could be used by criminals to steal identities, fraudulently obtain credit and make fake insurance claims.
Breach Notification Delay Requested by Law Enforcement
HIPAA regulations require covered entities to issue breach notifications to affected individuals within 60 days of the discovery of a PHI breach; however patients and federal/state agencies should be notified “without unnecessary delay.”
On occasion, the issuing of breach notification letters and an accompanying announcement of a data breach could potentially jeopardize a police investigation. Law enforcement officers may request a delay to the announcement of a data breach to allow them to conduct an investigation, as was the case with the ISO breach.
ISO reported the matter to law enforcement officers and an investigation was initiated, although at this stage it appears that no arrests have been made. ISO, the National Insurance Crime Bureau, and the County Prosecutors office also conducted investigations into the breach.
Notification letters are now being dispatched to all affected individuals to advise them of the exposure of their data to “unauthorized individuals.” They are also being offered credit monitoring and identity theft protection services for a period of one year, without charge.