Horizon Blue Cross Blue Shield of New Jersey agreed to pay $1.1 million and improve data-security practices to settle charges that it failed to properly protect the privacy of nearly 690,000 state policyholders whose personal information was contained on two laptops stolen from the insurer’s Newark headquarters.
The insurance giant -- New Jersey's largest healthcare provider -- agreed to the settlement after state Division of Consumer Affairs investigators found that the company’s failure to comply with federal data security standards threatened to expose private information of its members, Division Director Steve Lee said.That included names, addresses, birthdates, insurance identifications -- and, in some instances, Social Security numbers and limited clinical data.The policyholder data on the stolen laptops was password protected, but not encrypted, as required by federal law.
“Protecting the personal information of policyholders must be a top priority of every company," Lee said Friday. "ustomers deserve it and the law demands it."This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”
The laptops were stolen from Horizon BCBSNJ’s Newark headquarters in November 2013 when someone cut the cables securing them to a desk, state authorities said. Several workers from outside vendors had unsupervised access to the areas from which the laptops were stolen, they said. The laptops contained Electronic Protected Health Information or “ePHI,” which is protected under HIPAA/HITECH.
After an incident in which a Horizon BCBSNJ laptop was stolen from an employee’s trunk in January 2008, Horizon BCBSNJ changed its corporate policy to require all company-issued laptops to contain encryption software, state authorities said.
In May 2008, Horizon BCBSNJ issued a public statement that the company had completed encryption of all its desktop and laptop computers, as well as its mobile devices, and that company employees had undergone encryption training so that there was a complete understanding of the new security measures.
Consumer Affairs investigators found that more than 100 laptops assigned to employees weren't encrypted, however."The majority of the unencrypted computers had been obtained outside of the company’s normal procurement process, and thus were not detected by Horizon BCBSNJ’s corporate IT department," Lee said.
The IT department, in turn, "did not adequately monitor, service, or install security software required by corporate policy on those laptops," he said.
Investigators also found that the laptops stolen in 2013 were issued to employees not required to store ePHI on their laptops, in violation of a company policy limiting access to ePHI information to employees who needed it to accomplish their job functions.
The alleged state violations included:
· Failing to implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
· Failing to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that were known to it; and document security incidents and their outcomes.
· Failing to implement a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI that establishes the extent to which its security policies and procedures meet the requirements under HIPAA’s Security Rule.
· Failing to implement policies and procedures to safeguard its facility and the equipment therein from unauthorized physical access, tampering, and theft.
· Failing to maintain a record of the movements of hardware and electronic media containing ePHI and any person responsible therefore.
· Failing to implement a mechanism to encrypt and decrypt ePHI.
· Failing to adequately train all members of its workforce on the policies and procedures with respect to Protected Health Information, or “PHI,” which is subject to HIPAA rules.
· Failing to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements under HIPAA’s Privacy Rule.
· Representing that it had implemented and was maintaining appropriate measures to safeguard member information protected under HIPAA, and that it had properly trained employees on those measures, when such was not the case.
· Following the 2008 incident, representing that Horizon BCBSNJ would take additional measures to prevent further laptop thefts, when such measures were either not taken or ineffective.
Under the settlement, Horizon BCBSNJ "must implement a Corrective Action Plan," Lee said.That includes "hiring a third-party professional to conduct a thorough risk analysis of security risks associated with the storage, transmission and receipt of ePHI, and to submit a report of those findings to the Division within 180 days of the settlement and every year thereafter for two years," he said.Horizon BCBSNJ also agreed to pay a $1.1 million -- a $926,803.22 civil penalty, a $93,196.78 reimbursement of the state’s attorney fees and investigative costs, and $80,000 to be used at the sole discretion of the Attorney General for the promotion of consumer privacy programs and/or the enforcement of consumer privacy initiatives.
Under the agreement, $150,000 in civil penalties was suspended pending Horizon BCBSNJ’s compliance with the deal.
Investigator Brian Morgenstern of the Division of Consumer Affairs’ Cyber Fraud Unit conducted the investigation.
Deputy Attorneys General Elliott M. Siebers and Russell M. Smith, Jr., and Assistant Attorneys General John M. Falzone III and Brian McDonough, presented the case.