On February 17, 2017, Horizon Blue Cross Blue Shield of New Jersey (“Horizon”) agreed to pay $1.1 million as part of a settlement with the New Jersey Division of Consumer Affairs (the “Division”) regarding allegations that Horizon did not adequately protect the privacy of nearly 690,000 policyholders.
The settlement stemmed from the theft of two laptops stolen from Horizon headquarters in November 2013, when personnel from outside vendors performing renovations and moving services at Horizon’s Newark headquarters had unsupervised access to the area where company laptops were stored. The stolen laptops contained policyholder electronic Protected Health Information (“ePHI”), including names, addresses, birth dates, insurance identifications and, in some cases, Social Security numbers and clinical data. The policyholder data was password protected but not encrypted, in violation of HIPAA and HITECH.
An investigation by the Division found that more than 100 company-owned laptops assigned to Horizon employees were not encrypted, in violation of HIPAA and HITECH, as well as a company policy requiring company-issued laptops to contain encryption software. The Division found that most of these unencrypted laptops were obtained outside Horizon’s normal procurement process, and therefore the IT department failed to adequately monitor, service or install security software required by company policy on those laptops. The Division further found that the stolen laptops were issued to employees who were not required to store ePHI on their laptops, in violation of another company policy restricting ePHI access to employees with a “need to know.” The relevant company policies were instituted after an unrelated 2008 laptop theft from an employee’s car.
Under the terms of the settlement, in addition to the $1.1 million monetary settlement, which breaks down into a civil penalty, a reimbursement of the state’s attorneys’ fees and investigative costs, and promotion of consumer privacy programs, Horizon must take corrective steps to address its data security practices with respect to ePHI. In particular, Horizon must hire a third-party professional to assess security risks associated with its storage, transmission and receipt and submit a report of those findings to the Division within 180 days of the settlement, and every year thereafter for two years. $150,000 in civil penalties are suspended pending Horizon’s compliance with the terms of the settlement.