To settle allegations that it didn't properly protect the privacy of nearly 690,000 policyholders, Horizon Blue Cross Blue Shield of New Jersey will pay $1.1 million and work to improve its data security practices, according to the New Jersey Division of Consumer Affairs.
The settlement comes after two laptops were stolen from Horizon BCBSNJ's Newark headquarters. According to the consumer affairs division, and members' information – names, addresses, birthdates, insurance identifications and in some instances Social Security Numbers and limited clinical data – was left vulnerable, as the data was password-protected, but not encrypted, as required by HIPAA and HITECH.
A similar case of laptop theft in 2008 led Horizon BCBSNJ to require that all company-issued laptops contain encryption software. But the division's investigation found that more than 100 laptops, most of which had been obtained outside of the company's normal procurement process, were not encrypted, and the Horizon IT department did not adequately monitor, service, or install security software required by corporate policy on those laptops.
In addition, New Jersey official say Horizon BCBSNJ engaged in multiple violations, including failure to:
- Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed;
- Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that were known to it; and document security incidents and their outcomes;
- Implement a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI that establishes the extent to which its security policies and procedures meet the requirements under HIPAA's Security Rule;
- Implement policies and procedures to safeguard its facility and the equipment therein from unauthorized physical access, tampering, and theft;
- Maintain a record of the movements of hardware and electronic media containing ePHI and any person responsible for it;
- Implement a mechanism to encrypt and decrypt ePHI;
- Adequately train all members of its workforce on the policies and procedures with respect to protected health information;
- Reasonably safeguard ePHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements under HIPAA's Privacy Rule.
Representing that it had implemented and was maintaining appropriate measures to safeguard member information protected under HIPAA, and that it had properly trained employees on those measures, when such was not the case.
Following the 2008 incident, representing that Horizon BCBSNJ would take additional measures to prevent further laptop thefts, when such measures were either not taken or ineffective.
Under the settlement, Horizon BCBSNJ must implement a corrective action plan that includes hiring a third-party professional to conduct a thorough risk analysis of security risks associated with the storage, transmission and receipt of ePHI, and to submit a report of those findings to the Division within 180 days of the settlement and every year thereafter for two years.
The $1.1 million monetary settlement comprises a $926,803.22 civil penalty, a $93,196.78 reimbursement of the New Jersey's legal fees and investigative costs and $80,000 to be used at the discretion of the state's AG to promote consumer privacy programs and/or the enforcement of consumer privacy initiatives. $150,000 in civil penalties are suspended pending Horizon BCBSNJ's compliance with the Final Consent Judgment.
"Protecting the personal information of policyholders must be a top priority of every company: Customers deserve it and the law demands it," said Steve Lee, director of the Division of Consumer Affairs, in a statement. "Horizon Blue Cross Blue Shield of New Jersey's alleged security lapses risked exposing policyholders' most private information to the public, leaving them vulnerable to identity theft. This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches."
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
