Horizon Healthcare Services Inc., a health insurance company
doing business as Horizon Blue Cross Blue Shield of New Jersey that
insures more than 3.7 million New Jersey residents, recently
entered into a consent judgment under which it agreed to pay
a $1.1 million settlement to the state to resolve a data breach
that affected 690,000 policyholders.
A February 14 complaint filed in Superior Court by the
state Attorney General's Division of Consumer Affairs alleged
that Horizon had failed to protect its members' electronic
protected health information (ePHI), in violation of HIPAA rules,
and accused Horizon of "unconscionable business
practices." Although HIPAA rules are typically enforced by the
U.S. Department of Health and Human Services' Office for Civil
Rights, state attorneys general are empowered to enforce them on
behalf of states. The complaint also alleged violations of the New
Jersey Consumer Fraud Act.
The breach arose out of the theft of two laptop computers from
Horizon's offices in November 2013. The Division of Consumer
Affairs' investigation revealed that workmen renovating
Horizon's headquarters had had unsupervised access to the area
from which the laptops were stolen. The complaint alleged that the
policyholder data in the laptops was password-protected but not
encrypted, and that Horizon's failure to encrypt the data
violated is own corporate policy applicable to company-issued
laptops. Furthermore, the complaint pointed out that Horizon
publicly claimed to have encrypted all of its mobile devices after
a previous laptop theft in 2008, but the Division's
investigation found that more than 100 of Horizon's
employees' laptops were not encrypted.
As part of the settlement, Horizon agreed to implement a corrective
action plan, including hiring a third party to conduct a risk
assessment, and improve its data security practices.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.