A Horizon BCBS of New Jersey HIPAA compliance fine has been announced by the New Jersey Division of Consumer Affairs. In addition to a $1.1 million financial settlement, Horizon BCBS of New Jersey is required to adopt a corrective action plan to ensure that the electronic protected health information (ePHI) of its policyholders is appropriately secured.
Horizon BCBS of New Jersey HIPAA Fine Resolves Multiple Privacy and Security Rule Violations
The Horizon BCBS of New Jersey HIPAA fine resolves violations of the HIPAA Privacy and Security Rules that contributed to a breach of the ePHI of almost 690,000 policyholders in November 2013. Two laptop computers were stolen from Horizon BCBS of New Jersey’s offices over the course of a weekend when construction work was taking place.
The laptop computers were secured to office desks with security cables, although those cables were cut and the laptops were stolen. Third party vendors were provided with access to the offices, which included the locations were the laptops were stored. The laptops were not recovered, and it can be assumed that an employee of one of those vendors took the laptop computers over the course of the weekend.
The data stored on the devices included policyholders’ names, addresses, insurance details, dates of birth, Social Security numbers and clinical data. While the laptop computers were protected with a password, the data on the devices were not encrypted. It is therefore possible that the ePHI of policyholders could have been accessed by the thieves or the individuals now in possession of the laptops.
The Health Insurance Portability and Accountability Act requires HIPAA-covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to implement technical safeguards to prevent the exposure of individuals’ ePHI. Covered entities are not required to use encryption technologies to safeguard ePHI, although the use of encryption must be considered.
If, after a risk analysis has been conducted, the covered entity does not deem encryption to be appropriate, alternative safeguards should be employed to provide an equivalent level of protection. If data encryption is not used, the reason for the decision must be documented, along with the controls that have been used in its place. However, neither data encryption nor an alternative safeguard was used to secure the ePHI stored on the devices – a violation of the HIPAA Security Rule.
More than 100 Laptops Were Left Unprotected
Following a similar breach of ePHI in January 2008 – which also involved the theft of an unencrypted laptop computer – the decision was taken by Horizon BCBS of New Jersey to use encryption to protect the ePHI stored on all of its laptop computers. All laptop computers used by Horizon BCBS of New Jersey were encrypted by June 2008, according to a statement issued by the insurer.
However, while it was company policy to encrypt all laptop computers, no encryption was used on the two stolen devices. New Jersey Division of Consumer Affairs discovered that while encryption had been used on most devices, more than 100 laptop computers had not been encrypted.
Horizon BCBS of New Jersey claimed that those devices had been “obtained outside of the company’s normal procurement process.” As a result, they were not detected by the corporate IT department. The IT department should have monitored and serviced the devices even though they were obtained through a non-standard channel. Doing so would have revealed that the devices had not been encrypted, and security software could have been installed.
The investigators also discovered that the employees provided with the two laptops were not authorized to store the ePHI of policyholders on their devices. It was not necessary for their job functions.
In addition to violations of HIPAA Rules and the HITECH ACT, the investigators determined that Horizon BCBS of New Jersey had also violated the state Consumer Fraud Act. The Horizon BCBS of New Jersey HIPAA fine resolves all violations of federal/state laws discovered by Division of Consumer Affairs investigators.
The Horizon BCBS of New Jersey HIPAA fine is split as follows: A civil penalty: $926,803.22; reimbursement of the state’s attorneys’ fees: $93,196.78; $80,000 for the state attorney general’s office to use for the promotion of consumer privacy programs and the enforcement of consumer privacy initiatives. Civil penalties totaling $150,000 were suspended, pending compliance with the corrective action plan. As well as fines, data breaches can impact on the market value of a business.