Unencrypted Laptops Lead to Mega-BreachHorizon Blue Cross Blue Shield Reveals Incident
A recent theft of two unencrypted laptop computers that were cable-locked to employee workstations at the headquarters of insurer Horizon Blue Cross Blue Shield of New Jersey has resulted in a breach that potentially affected nearly 840,000 individuals.
If details of the number of individuals affected are confirmed by the Department of Health and Human Services, the incident would be the second largest 2013 health data breach reported so far, according to HHS's "wall of shame" list of major breaches. And it would mean that the three largest 2013 breaches all involved thefts of unencrypted computers.
The latest incident serves as a powerful reminder that no matter what physical security measures are taken, encryption of protected health information stored on mobile and desktop computing devices is crucial, as are other security measures, says privacy attorney Adam Greene.
"No matter what physical safeguards you have, there will always be some risk, whether those are insider threats, desktop computers that manage to walk out the back door, laptops that have cable locks torn off, or cleaning crews and other people that have access to locked facilities," says Greene, a partner at law firm Davis Wright Tremaine. He's a former official at the HHS Office for Civil Rights, which enforces HIPAA compliance.
"There is no substitute for encryption, or the use of data loss protection or similar technologies that make sure that data is kept centrally and does not end up on the end-user device," Greene says.
Horizon Blue Cross Blue Shield says in a statement that the laptops were stolen from the company's Newark, N.J., headquarters the weekend of Nov. 1. The insurer notified local police on Nov. 4, when it also launched its own investigation.
"A detailed review led by outside computer forensic experts has confirmed that the laptops may have contained files with differing amounts of member information, including name and demographic information - for example address, member identification number, date of birth - and in some instances, a Social Security number and/or limited clinical information," the statement says. "Due to the way the stolen laptops were configured, it is not certain that all of the member information contained on the laptops is accessible."
Horizon is notifying more than 839,700 members about the incident. Those members whose Social Security numbers may have been exposed will be offered free credit monitoring and identity theft protection for one year, the company says.
"Horizon BCBSNJ continues to work with law enforcement to locate the laptops. To prevent a similar incident from happening in the future, Horizon BCBSNJ is strengthening encryption processes and enhancing its policies, procedures and staff education regarding the security of company property and member information," the company says in its statement.
A Horizon spokesman tells Information Security Media Group: "It is important to note that we have no reason to believe that the laptops were stolen for the information they contained or that the information has been accessed or used in any way."
The insurer has 24-hour, 7-day front desk security at Newark office, he adds. "No one can gain access to the building without a valid reason for being there. Whoever stole the two laptops was in the building for a legitimate purpose. The laptops were tethered by cable locks to the employees' workstations. The locks were disabled. Our security cameras did not capture the theft.
"We are still investigating this matter ... It is also important to note that no employee is a suspect in the theft."
Why Encryption Is Essential
Organizations that fail to encrypt protected health information will find it increasingly difficult to defend themselves in breach investigations or other regulatory actions, says Greene, the attorney.
"The cost of encryption has come down and the government has higher expectations than ever before that you're going to encrypt," he says. "And so no matter what physical safeguards you have in place, it's becoming more challenging to convince the government that is was reasonable and appropriate not to encrypt."
Under the HIPAA Omnibus Rule, penalties for HIPAA non-compliance range up to $1.5 million per violation. More than half of the 720 major breaches reported to HHS since September 2009 have involved lost or stolen unencrypted computing devices or storage media.
The two largest 2013 breaches reported to federal authorities so far, both of which involved stolen unencrypted devices, are:
- A breach involving the theft of four unencrypted desktop computers from an office of Advocate Medical Group, a Chicago-area physician group practice. That breach, which the federal tally lists as affecting more than 4 million individuals, and has resulted in a class action lawsuit.
- A breach at AHMC Healthcare involving two unencrypted laptop computers stolen from the company's administrative offices in California. That breach impacted 729,000 individuals.