TRENTON — The state’s largest insurance carrier will pay a $1.1 million penalty for failing to protect the private information of 690,000 policy holders whose information was contained on two laptops stolen from the company’s Newark headquarters in 2013.
An investigation by the state Division of Consumer Affairs revealed Horizon Blue Cross Blue Shield of New Jersey had not encrypted the names, addresses, birthdates, insurance identification numbers, and some Social Security Numbers and limited medical information for 690,000 customers.
The information was protected only by a password, Steve Lee, Director of the Division of Consumer Affairs said.
The thief cut the cables securing the laptops to a desk during a period when the office was improperly supervised during building renovations, Lee said.
Senate panel grills Horizon about stolen laptops and data breach
“Protecting the personal information of policyholders must be a top priority of every company,” Lee said in a statement.
“Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft. This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches,” Lee said.
A Horizon spokesman pointed out there was never evidence medical information was ever used by the perpetrator.
“While it is reassuring that not a single confirmed incident of identity theft is traceable to the two stolen laptops, Horizon remains vigilant in protecting our members’ privacy through consistent attention to and significant investment in our physical and cyber security practices,” Horizon spokesman Tom Vincz said.
“Horizon takes seriously our responsibility to comply with consumer protection and privacy laws and strives every day to earn the trust of our 3.8 million members by safeguarding their personal information.”
This was the second time the state has cited Horizon for improperly securing confidential information, according to Lee’s statement. In 2008, after a laptop was stolen from an employee’s car, the company told the state it had changed its policy to install encryption software on all of its computer and mobile devices.
The state’s most recent investigation found 100 laptops that did not contain the encryption protection, Lee said. The state also uncovered the employees whose laptops were stolen in 2013 should not have had access to confidential information.
In addition to the fine and court fees, the company must hire an outside company to assess the security of Horizons information. The outside firm must submit a report with 180 days and every year for two years detailing Horizon’s compliance.
The $1.1 million in fines and legal fees and the corrective action plan are based on a settlement accusing Horizon of violating the New Jersey Consumer Fraud Act, Lee said.
The 2013 theft led to legislation that required health insurance companies to use encryption software to protect its consumers’ information. Gov. Chris Christie signed it into law in 2015.
Susan K. Livio may be reached at slivio@njadvancemedia.com. Follow her on Twitter @SusanKLivio. Find NJ.com Politics on Facebook.
Our editors found this article on this site using Google and regenerated it for our readers.
