Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members. The New Jersey Division of Consumer Affairs made the announcement of the fine recently.
The Health Insurance Portability and Accountability Act (HIPAA) states that all covered entities must implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan subscribers. While data encryption is not an obligatory technical safeguard, it is an addressable issue. Covered bodies must therefore consider the use of encryption technologies to protect ePHI both at rest and in motion. If data encryption is not utilized, alternative security measures must be implemented that offer a similar level of protection.
Covered bodies are required to conduct a thorough risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computing technology is used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of ePHI being accessed without permission. Appropriate security controls should be utilized to prevent ePHI exposure in the event that the devices are lost or stolen. Data encryption is one method of securing data, although other security controls could equally be used. However, the use of a password on its own is not sufficient protection as they do not offer an equivalent level of protection as data encryption.
In November 2013, two laptop computers were criminally obtained from Horizon BCBSNJ offices. The laptops were password protected but ePHI on the laptop devices was not encrypted and no other technical security controls were used to safeguard the personal data. These laptop computers were secured to desks with security cables, although the thieves cut through those cables and took the laptops from the offices.
Personal Data stored on the devices included names and addresses of policy subscribers, along with insurance identifiers, birth dates, Some Social Security numbers, and a limited amount of clinical data.
The theft occurred during a weekend when work was being completed on Horizon BCBSNJ offices. A number of external contractor were provided with unsupervised access to the offices, including the area where the laptops were kept.
An unencrypted laptop computer containing the ePHI of policyholders was stolen from Horizon BCBSNJ on a previous occasion. A laptop computer was stolen from the vehicle of an staff member in January 2008. Following that incident, Horizon BCBSNJ altered its policies and started using encryption on all laptop computers used to keep ePHI. By May 2008, Horizon BCBSNJ revealed that the encryption process had been finished. Training to show the use of encryption was also given to company employees to ensure they were aware of the new security measures.
However, during the course of the Division of Consumer Affairs review, it was discovered that more than 100 laptop computers used by Horizon BCBSNJ did not have any level of encryption, potentially placing ePHI at risk of exposure. The justification provided for the lack of encryption was the laptops computers were purchased via a non-standard procurement process. Due to this, the IT department was unaware that the devices had not been encrypted. The devices were also not subjected to the usual monitoring or servicing, as per corporate policies.
Additionally, the Division of Consumer Affairs investigators found that the employees who had been issued the two laptop computers were not required to store ePHI, and that doing so violated the corporate policies in place to govern this.
The investigators ruled that along with violations of HIPAA Privacy and Security Rules, Horizon BCBSNJ had also violated the New Jersey Consumer Fraud Act.
In addition to the $1.1 million penaly, Horizon BCBSNJ is obligate to adopt a thorough corrective action plan to ensure compliance with HIPAA/HITECH and the New Jersey Consumer Fraud Act. An external professional must be contracted to conduct a comprehensive, organization-wide risk analysis covering all devices and systems used to store or transmit ePHI. That risk analysis must be completed within 180 days of the settlement date, and annually for the next 24 month. Reports of the findings of the analysis must be filed to the Division of Consumer Affairs.
Steve Lee, Director of the Division of Consumer Affairs, stated “Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” He also outlined that “Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft. This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”