A recent theft of twounencryptedlaptop computers that were cable-locked to employee workstations at the headquarters of Horizon Blue Cross Blue Shield of New Jerseyhas resulted in abreach that potentially affected nearly 840,000 individuals.
If details of the number of individuals affected are confirmed by the Department of Health and Human Services, the incident would be the second largest 2013 health data breach reported so far, according to HHS's "wall of shame" list of major breaches. And it would mean that the three largest 2013 breaches all involved thefts of unencrypted computers.
This latest incident serves as a powerful reminder that no matter what physical security measures are taken, encryption of protected health information stored onmobileand desktop computing devices is crucial, as are other security measures.
No matter what physical safeguards you use there will always be some risk, whether those are insider threats, desktop computers that manage to walk out the back door, laptops that have cable locks torn off, or cleaning crews and other people that have access to locked facilities. There is no substitute for encryption, or the use ofdata loss protection or similar technologies that make sure that data is kept centrally and does not end up on the end-user device.
Horizon Blue Cross Blue Shield says in a statement that the laptops were stolen from the company's Newark, N.J., headquarters the weekend of Nov. 1. The insurer notified local police on Nov. 4, when it also launched its own investigation.
"A detailed review led by outside computer forensic experts has confirmed that the laptops may have contained files with differing amounts of member information, including name and demographic information for example address, member identification number, date of birth and in some instances, a Social Security number and/or limited clinical information," the statement says. "Due to the way the stolen laptops were configured, it is not certain that all of the member information contained on the laptops is accessible."
Horizon is notifying more than 839,700 members about the incident. Those members whose Social Security numbers may have been exposed will be offered free credit monitoring and identity theft protection for one year, the company says.
"Horizon BCBSNJ continues to work with law enforcement to locate the laptops. To prevent a similar incident from happening in the future, Horizon BCBSNJ is strengthening encryption processes and enhancing its policies, procedures and staff education regarding the security of company property and member information," the company says in its statement.
Why Encryption Is Important
Even though encryption is not "required" by HIPAA, organizations that fail to encrypt protected health information will find it increasingly difficult to defend themselves in breach investigations or other regulatory actions.
The cost of encryption has come down and the government has higher expectations than ever before that you're going to encrypt. And so no matter what physical safeguards you have in place, it's becoming more challenging to convince the government that is was reasonable and appropriate not to encrypt.
Under theHIPAA Omnibus Rule, penalties for HIPAA non-compliance range up to $1.5 million per violation. More than half of the 720 major breaches reported to HHS since September 2009 have involved lost or stolen unencrypted computing devices or storage media.
The two largest 2013 breaches reported to federal authorities so far, both of which involved stolen unencrypted devices, are:
- A breach involving the theft of four unencrypted desktop computers from an office ofAdvocate Medical Group, a Chicago-area physician group practice. That breach, which the federal tally lists as affecting more than 4 million individuals, and has resulted in a class action lawsuit.
- A breach atAHMC Healthcareinvolving two unencrypted laptop computers stolen from the company's administrative offices in California. That breach impacted 729,000 individuals.