The New Jersey Division of Consumer Affairs today announced that the state’s largest healthcare provider, Horizon Healthcare Services, Inc., has agreed to pay $1.1 million and improve data security practices to settle allegations it failed to properly protect the privacy of nearly 690,000 New Jersey policyholders whose personal information was contained on two laptops stolen from the insurer’s Newark headquarters.
The insurance giant, which does business as Horizon Blue Cross Blue Shield of New Jersey (“Horizon BCBSNJ”), agreed to the settlement after a Division investigation concluded that the company’s failure to comply with federal healthcare data security standards threatened to expose private information of its members - including their names, addresses, birthdates, insurance identifications and, in some instances, Social Security Numbers and limited clinical data.
The State alleges that the policyholder data on the stolen laptops was password protected, but not encrypted, as required under these circumstances by the federal Health Insurance Portability Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act (“HIPAA/HITECH”).
“Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” said Steve Lee, Director of the Division of Consumer Affairs. “Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft. This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”
The laptops were stolen from Horizon BCBSNJ’s Newark headquarters in November 2013 when someone cut the cables securing them to a desk. The Division’s investigation revealed that during the weekend of the theft, numerous personnel from outside vendors performing renovations and moving services had unsupervised access to the areas from which the laptops were stolen. The laptops contained Electronic Protected Health Information or “ePHI,” which is protected under HIPAA/HITECH.
After an incident in which a Horizon BCBSNJ laptop was stolen from an employee’s trunk in January 2008, Horizon BCBSNJ changed its corporate policy to require all company-issued laptops to contain encryption software. In May 2008, Horizon BCBSNJ issued a public statement that the company had completed encryption of all its desktop and laptop computers, as well as its mobile devices, and that company employees had undergone encryption training so that there was a complete understanding of the new security measures that were adopted after the incident.
However, the Division’s investigation concluded that more than 100 laptops assigned to employees were not encrypted. The majority of the unencrypted computers had been obtained outside of the company’s normal procurement process, and thus were not detected by Horizon BCBSNJ’s corporate IT department, according to the investigation. As such, the investigation found that the IT department did not adequately monitor, service, or install security software required by corporate policy on those laptops.
The investigation further revealed that the laptops stolen in 2013 were issued to employees not required to store ePHI on their laptops, in violation of a company policy limiting access to ePHI information to employees who needed it to accomplish their job functions.
The State alleges that Horizon BCBSNJ engaged in multiple violations of the New Jersey Consumer Fraud Act, the federal HIPAA/HITECH and its Privacy and Security Rules by actions that include:
· Failing to implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.
· Failing to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that were known to it; and document security incidents and their outcomes.
· Failing to implement a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI that establishes the extent to which its security policies and procedures meet the requirements under HIPAA’s Security Rule.
· Failing to implement policies and procedures to safeguard its facility and the equipment therein from unauthorized physical access, tampering, and theft.
· Failing to maintain a record of the movements of hardware and electronic media containing ePHI and any person responsible therefore.
· Failing to implement a mechanism to encrypt and decrypt ePHI.
· Failing to adequately train all members of its workforce on the policies and procedures with respect to Protected Health Information, or “PHI,” which is subject to HIPAA rules.
· Failing to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications, or other requirements under HIPAA’s Privacy Rule.
· Representing that it had implemented and was maintaining appropriate measures to safeguard member information protected under HIPAA, and that it had properly trained employees on those measures, when such was not the case.
· Following the 2008 incident, representing that Horizon BCBSNJ would take additional measures to prevent further laptop thefts, when such measures were either not taken or ineffective.
Under the settlement, Horizon BCBSNJ must implement a Corrective Action Plan that includes hiring a third-party professional to conduct a thorough risk analysis of security risks associated with the storage, transmission and receipt of ePHI, and to submit a report of those findings to the Division within 180 days of the settlement and every year thereafter for two years.
Horizon BCBSNJ also agreed to pay a $1.1 million monetary settlement comprised of a $926,803.22 civil penalty, a $93,196.78 reimbursement of the State’s attorney fees and investigative costs, and $80,000 to be used at the sole discretion of the Attorney General for the promotion of consumer privacy programs and/or the enforcement of consumer privacy initiatives.
Under the agreement, $150,000 in civil penalties are suspended pending Horizon BCBSNJ’s compliance with the Final Consent Judgment.