New Jersey’s largest health insurance carrier has agreed to pay more than $1 million in fines and penalties and improve its data security practices in order to settle claims that it failed to protect the private data of about 690,000 policyholders whose information was contained on two stolen laptops.
The New Jersey Division of Consumer Affairs, a branch of the state attorney general’s office, announced the agreement with Horizon Blue Cross Blue Shield Friday.
The carrier agreed to pay a civil penalty of $926,803.22, and to pay the state $93,196 as reimbursement for its investigation into the November 2013 data thefts.
The attorney general’s office said the carrier failed to properly protect the privacy of the New Jersey policyholders whose personal information was contained on the laptops taken from the insurer’s Newark headquarters.
An investigation concluded that the company’s failure to comply with federal health care data security standards threatened to expose private information of policyholders, including their names, addresses, birthdates, insurance identifications and, in some instances, Social Security numbers and clinical data, according to a statement released by Attorney General Christopher Porrino.
The DCA said the policyholder data on the stolen laptops was password-protected but not encrypted, as required by the Health Insurance Portability and Accountability Act of 1996 and HIPAA’s 2009 amendments.
“Protecting the personal information of policyholders must be a top priority of every company,” said Steve Lee, director of the DCA. “Customers deserve it and the law demands it. Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft. This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”
The laptops were stolen from the carrier’s headquarters after someone cut the cables securing them to a desk. The attorney general’s investigation revealed that, during the weekend of the theft, many people associated with outside vendors that were performing renovations and providing moving services had unsupervised access to the areas from which the laptops were stolen.
According to the DCA statement, after an incident in which a Horizon BCBSNJ laptop was stolen from an employee’s trunk in January 2008, the carrier changed its corporate policy to require all company-issued laptops to contain encryption software. In May 2008, the DCA said, Horizon issued a public statement that the company had completed encryption of all of its desktop and laptop computers, as well as its mobile devices, and that company employees had undergone encryption training, so that there was a complete understanding of the new security measures that were adopted after the incident.
However, the DCA said, an investigation concluded that more than 100 laptops assigned to employees were not encrypted.
The DCA alleged that Horizon engaged in violations of the New Jersey Consumer Fraud Act in addition to the federal HIPAA privacy regulations.
A Horizon spokesman, Thomas Vincz, issued a statement on behalf of the carrier.
“While it is reassuring that not a single confirmed incident of identity theft is traceable to the two stolen laptops, Horizon remains vigilant in protecting our members’ privacy through consistent attention to and significant investment in our physical and cyber security practices,” Vincz said. “Horizon takes seriously our responsibility to comply with consumer protection and privacy laws and strives every day to earn the trust of our 3.8 million members by safeguarding their personal information.”
Have you followed us on Facebook?