Earlier this month we wrote about breaches of medical data in the United Kingdom, but in these past few weeks the US medical community has been stunned by two major security breaches related to Blue Cross Blue Shield.
The Blue Cross and Blue Shield brands are the United State’s oldest and largest family of health benefits companies and are among the most recognized brands in the health insurance industry. They are the largest health benefits provider in America, serving 100 million people, or approximately one-in-three Americans.
However, a great brand and a long history did not do anything to protect Blue Cross and Blue Shield from these two security breaches.
Information on 850,000 Physicians was stolen
A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Association employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.
Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant encrypts all the information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The employee’s personal laptop was stolen after the employee left headquarters with it.
Smokler said corrective action has been taken, but declined to elaborate. This ties directly to our earlier article on security of healthcare data where we noted:
It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important. Unless the fines and implications are severe - this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.
It’s for this reason that Blue Cross Blue Shield should publicize the steps taken against this employee. Other employees in the healthcare industry and beyond need to see that there are repercussions of violating data security procedures. The powerful American Medical Association which represents most of the 850,000 impacted doctors has 6 asked the BlueCross BlueShield Association to meet regarding the data breach – so this story is far from over.
68 Blue Cross Blue Shield Hard Drives Stolen
In addition to reports of the missing laptop with from the national headquarters Blue Cross Blue Shield of Tennessee has announced the theft of 68 computer hard drives. Over the weekend of Oct. 2nd, unauthorized persons entered a data closet in a remote location that BlueCross BlueShield of Tennessee leases for training purposes and removed 68 hard drives. The stolen hard drives contained voice recordings of eligibility and coordination-of-benefit calls.
While BCBS has not specifically stated whether the drives were encrypted, they commented that “the retrieval of member data from these drives would require highly-specialized expertise and software.” The other term that was used was “encoded.” This tells us that while some of the files might have been secured and the data might be hard to retrieve, the drives were not protected by hard drive encryption.
One has to wonder – how many times will records have to be stolen, before companies in the healthcare industry step up and encrypt. Sure, we all know the economy is tough and money is tight – but today encryption is quite affordable.