Healthcare Information Security

Patient Privacy News

2013 Horizon BCBS Data Breach Leads to $1.1M Settlement

Following data breach allegations stemming from a 2013 incident, Horizon BCBS will pay a state settlement and improve its data security practices.

Horizon BCBS data breach leads to $1.1 million settlement with New Jersey

Source: Thinkstock

- Horizon Healthcare Service, Inc., which operates as Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ), recently agreed to a $1.1 million settlement for data breach allegations from 2013.

Along with the payment, Horizon BCBSNJ must also improve its data security practices, according to a New Jersey Division of Consumer Affairs statement.

Horizon BCBSNJ is also required to implement a Corrective Action Plan, where the insurer must hire a third-party “to conduct a thorough risk analysis of security risks associated with the storage, transmission and receipt of ePHI,” the statement explained.

A report of the findings must also be submitted to the Division within 180 days of the settlement, and then every year for two years. 

The original incident occurred in November 2013, when two laptops were stolen from Horizon BCBSNJ’s Newark headquarters. While the laptops were password-protected, they were not encrypted, the State maintained.

Approximately 690,000 individuals may have had their information exposed, including names, addresses, birthdates, insurance identifications and, in some instances, Social Security Numbers and limited clinical data.

“The Division’s investigation revealed that during the weekend of the theft, numerous personnel from outside vendors performing renovations and moving services had unsupervised access to the areas from which the laptops were stolen,” the Consumer Affairs statement explained.

In 2008, a Horizon BCBSNJ laptop was stolen from an employee’s car. Following that incident, the insurer’s corporate policy was updated to require that all company laptops have encryption software.

An investigation found that “the majority of the unencrypted computers had been obtained outside of the company’s normal procurement process, and thus were not detected by Horizon BCBSNJ’s corporate IT department.” Furthermore, the IT department “did not adequately monitor, service, or install security software required by corporate policy on those laptops.”

The two laptops stolen in 2013 were issued to employees not required to store ePHI on their laptops, which was also a violation of Horizon BCBSNJ policy, the investigation found. The insurer had a requirement that ePHI access be limited to only employees who needed it for essential job functions.

In total, the State investigation found 10 violations of the New Jersey Consumer Fraud Act, HIPAA/HITECH, and the Privacy and Security Rules. Some of the violations included, but were not limited to, the following:

  • Failing to implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed
  • Failing to implement policies and procedures to safeguard its facility and the equipment therein from unauthorized physical access, tampering, and theft.
  • Failing to maintain a record of the movements of hardware and electronic media containing ePHI and any person responsible therefore.
  • Failing to implement a mechanism to encrypt and decrypt ePHI

The Horizon BCBS data breach case has been going back and forth for several years now.

Earlier this year, a US Appeals Court ruled that it disagreed with the previously announced Horizon BCBS decision that dismissed a lawsuit from the same 2013 incident.

The Court of Appeals for the Third Circuit vacated the dismissal and remands, saying that the plaintiffs demonstrated an injury sufficient for Article III standing under the Fair Credit Reporting Act (FCRA).

“In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes,” the judges’ statement explained. “Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”

In March 2015, New Jersey U.S. District Judge Claire Cecchi dismissed the lawsuit, determining that the plaintiffs were unable to prove that hypothetical future injuries might take place because a violation of statutory rights occurred.

However, the appeals court explained that the plaintiffs’ argument their rights were violated under FCRA did in fact have standing.

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks