$1.1 Million Fine for HIPAA Violation to be Paid by Horizon BCBS of New Jersey

by | Feb 25, 2017

Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members. The New Jersey Division of Consumer Affairs made the announcement of the fine recently.

The Health Insurance Portability and Accountability Act (HIPAA) states that all covered entities must implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan subscribers. While data encryption is not an obligatory technical safeguard, it is an addressable issue. Covered bodies must therefore consider the use of encryption technologies to protect ePHI both at rest and in motion. If data encryption is not utilized, alternative security measures must be implemented that offer a similar level of protection.

Covered bodies are required to conduct a thorough risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computing technology is used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of ePHI being accessed without permission. Appropriate security controls should be utilized to prevent ePHI exposure in the event that the devices are lost or stolen. Data encryption is one method of securing data, although other security controls could equally be used. However, the use of a password on its own is not sufficient protection as they do not offer an equivalent level of protection as data encryption.

In November 2013, two laptop computers were criminally obtained from Horizon BCBSNJ offices. The laptops were password protected but ePHI on the laptop devices was not encrypted and no other technical security controls were used to safeguard the personal data. These laptop computers were secured to desks with security cables, although the thieves cut through those cables and took the laptops from the offices.

Personal Data stored on the devices included names and addresses of policy subscribers, along with insurance identifiers, birth dates, Some Social Security numbers, and a limited amount of clinical data.

The theft occurred during a weekend when work was being completed on Horizon BCBSNJ offices. A number of external contractor were provided with unsupervised access to the offices, including the area where the laptops were kept.

An unencrypted laptop computer containing the ePHI of policyholders was stolen from Horizon BCBSNJ on a previous occasion. A laptop computer was stolen from the vehicle of an staff member in January 2008. Following that incident, Horizon BCBSNJ altered its policies and started using encryption on all laptop computers used to keep ePHI. By May 2008, Horizon BCBSNJ revealed that the encryption process had been finished. Training to show the use of encryption was also given to company employees to ensure they were aware of the new security measures.

However, during the course of the Division of Consumer Affairs review, it was discovered that more than 100 laptop computers used by Horizon BCBSNJ did not have any level of encryption, potentially placing ePHI at risk of exposure. The justification provided for the lack of encryption was the laptops computers were purchased via a non-standard procurement process. Due to this, the IT department was unaware that the devices had not been encrypted. The devices were also not subjected to the usual monitoring or servicing, as per corporate policies.

Additionally, the Division of Consumer Affairs investigators found that the employees who had been issued the two laptop computers were not required to store ePHI, and that doing so violated the corporate policies in place to govern this.

The investigators ruled that along with violations of HIPAA Privacy and Security Rules, Horizon BCBSNJ had also violated the New Jersey Consumer Fraud Act.

In addition to the $1.1 million penaly, Horizon BCBSNJ is obligate to adopt a thorough corrective action plan to ensure compliance with HIPAA/HITECH and the New Jersey Consumer Fraud Act. An external professional must be contracted to conduct a comprehensive, organization-wide risk analysis covering all devices and systems used to store or transmit ePHI. That risk analysis must be completed within 180 days of the settlement date, and annually for the next 24 month. Reports of the findings of the analysis must be filed to the Division of Consumer Affairs.

Steve Lee, Director of the Division of Consumer Affairs, stated “Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” He also outlined that “Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft.  This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy