Data Breach – Horizon Blue Cross – two data breaches in five years

Looking for information about the 2016 mis-mailing of EOB’s to Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) members?  Read-> Data Breaches Again at Horizon BCBSNJPrevendra: Horizon Blue Cross Blue Shield data breach


Horizon Blue Cross Blue Shield of New Jersey – Two data breaches in five years.

[Updated 18 December 2013*]

Earlier this week 839,711 members of Horizon Blue Cross Blue Shield of New Jersey received an early lump of coal, news that their information had been compromised by their healthcare insurer.

The breach of 2013:  
The statement issued by Horizon noted two laptops were stolen from their offices between 1 and 4 November 2013, contained the personal identifying information (PII) and protected health information (PHI) of a number of Horizon Blue Cross Blue Shield insured. Interestingly they make a point to mention that the laptops were cable locked to the desks (a good physical security technique which actually does deter walk-by theft of devices, but is of little deference to the thief with time). Alas, while the physical security deterrent was in place, the technological protection of the data was not protected at standard healthcare data protection methods in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules (see below for the excerpt from the Health and Human Services (HHS) HIPAA site). The press piece goes on to say, “Horizon BCBSNJ continues to work with law enforcement to locate the laptops. To prevent a similar incident from happening in the future, Horizon BCBSNJ is strengthening encryption processes and enhancing its policies, procedures and staff education regarding the security of company property and member information.”

In each of the 2013 breach notification letters (Horizon Blue Cross has crafted three separate letters) the individual is provided with a wealth of data, including the admonishment: “If you identify medical services listed on your explanation of benefits that you did not receive, please contact us immediately.” Such is indicative of an understanding on the part of Horizon Blue Cross of the very real possibility of Medical Identity Theft.

The breach of 2008:
In  January 2008, InformationWeek magazine reported the data breach at Horizon BCBS of New Jersey involving yet another stolen laptop computer:

 “Horizon Blue Cross Blue Shield of New Jersey has notified its members that an employee laptop computer containing personal information — including Social Security numbers — for about 300,000 individuals was stolen in early January… On its Web site, the company says a “security feature was initiated” on Jan. 28 that “destroys all the data on the stolen computer.” Horizon Blue Cross Blue Shield of New Jersey says the personal information contained on the computer also included names and addresses of members, but no medical data.”

Event amnesia?
The Horizon spokesperson in 2008, quoted by Information Week, noted the existence of a “security feature” which destroys all the data on the stolen computer. Furthermore, the event of 2008, only involved PII and not PHI. Fast forward to 2013, and two laptops are stolen from within the offices. The information security team no doubt had appropriate policies in place to protect PII and PHI subsequent to the 2008 breach, but the implementation side of the equation appears to have encountered what many entities encounter, lack of situational awareness with respect to where and how PII and PHI, the crown jewels and most sensitive of data was stored.

Preventing the next breach?
Questions which immediately come to mind. Is Horizon Blue Cross or any other organization which handles PII and PHI able to scan across all devices to determine the existence of PII or PHI stored in an unprotected manner? Any number of  the commercial off the shelf (COTS) Data Loss Prevention software packages would have been less expensive than the breach remediation exercise in which they are now engaged.

The SANS Institute published a Data Loss Prevention worksheet (sponsored by McAfee and crafted in 2009), which would be of value to any and all entities which handle PII and/or PHI. Within the worksheet’s Executive Summary, the author of the worksheet notes;

Data-centric protections need to address data discovery and classification, incident workflow, policy creation/management and data movement detection. The breadth of the technology required to accomplish all of this is broad, covering:

  • Fully-integrated encryption for end points for data in use, in motion and at rest within applications (e-mail, file servers, etc.), including sensitive data transferred onto portable storage devices
  • Host-based DLP for localized detection and prevention of data leakage for data in use, data in motion, and data at rest
  • Network DLP with data discovery and analysis, network monitoring (with extensive protocol and application parsing support), and prevention capabilities for both inbound and outbound content

While it would be naive to think theft will ever be eradicated, that which can be stolen can certainly be mitigated. Horizon Blue Cross has been bitten by the same issue two times over the course of the past five years, theft of devices which contained sensitive data.  As noted in our discussion surrounding the recent compromise of 90,000 patient records by the University of Washington, Horizon Blue Cross is not alone. In Ponemon’s December 2012 report, “Third Annual Study on Patient Privacy,”  a sobering statistic was revealed: 94 percent of healthcare organizations in the study have had at least one data breach in the past two years.  More than million individuals face the reality of having to monitor and secure their identities, well beyond the one year of coverage provided by Horizon Blue Cross, as one’s identity has value 2, 3, 12, 25 years after having been stolen.

The takeaway for all healthcare providers, empower your Chief Security Officer (CSO) and Chief Information Security Officer (CISO) with sufficient resources to not only protect your infrastructure; but also to invest in employee education. Know where and how your data is stored on your network and employees devices. Far too often, healthcare security and awareness programs fall into the operational expense category of “nice to have.” Incidents such as the Horizon Blue Cross compromise, demonstrate the need for training and resourcing. Security is no longer in the nice to have category. Nor is security awareness training for those handling data just once and done, but must be a constant reminder that your patient’s information is precious and it is incumbent upon everyone to protect and secure the information. If you’re entity does not have a CSO or CISO, and many don’t, obtain the services of a Virtual CSO – have a professional security practitioner on your data security team.

[*Updated: 18 December 2013 – To remove attribution to Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ) for the data breach of 2009 which occurred at Blue Cross Blue Shield Association (BBSA) involving the compromise of the PII of 800,000-850,000 doctors. We thank Horizon Blue Cross Blue Shield of New Jersey, for reaching out to us, and providing clarification: BCBSA and BCBSNJ are independent entities.  //CB]

“HIPAA – Physical and Technical Safeguards”

Following is a direct extract from the Department of Health and Human Services HIPAA guidance

Physical Safeguards
Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

Technical Safeguards
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.6
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.