Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Jimmy H. Koo
New Jersey-based insurance provider Horizon Healthcare Services Inc. agreed to pay the state $1.1 million to settle allegations that the theft of two laptops compromised the privacy of some 690,000 policyholders ( Jespersen v. Horizon Healthcare Servs., Inc. , N.J. Super. Ct. Ch. Div., No. C-12-17, final consent judgment 2/15/17 ).
Without admitting any wrongdoing, the insurance company—doing business as Horizon Blue Cross Blue Shield of New Jersey—also agreed in the Feb. 15 final consent judgment filed in the Superior Court of New Jersey to improve its data security practices and implement a corrective action plan, including hiring a third party to conduct risk analysis. The agreement was made public Feb. 17 by the New Jersey Office of the Attorney General.
Horizon offers a variety of health insurance plans to more than 3.7 million New Jersey residents, according to a Feb. 14 state court complaint, filed by the Office of the New Jersey Attorney General’s Division of Consumer Affairs.
According to the complaint, the laptops were stolen in November 2013 from Horizon’s Newark, N.J., headquarters when someone cut the cables securing the computers to a desk. Investigation by the Division of Consumer Affairs found that during the weekend that the laptops were stolen, employees from outside vendors renovating the headquarters had unsupervised access to the area where the laptops were stolen.
Even though the policyholder data contained in the stolen laptops was password protected, the information wasn’t encrypted as required under the Health Insurance Portability Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), the complaint alleged. Furthermore, the complaint said, Horizon’s failure to encrypt the data violated is own corporate policy that required all company-issued laptops to contain encryption software.
Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs (US) LLP in Washington, told Bloomberg BNA Feb. 17 that the “HIPAA Security Rule makes encrypting electronic protected health information (ePHI) an ‘addressable’ standard.” Golding said that “addressable” doesn’t mean “optional.”
The standard requires companies to encrypt ePHI if it is “reasonable and appropriate in light of the company’s risk assessment and, if not, implement an alternative security measure,” he said.
According to the attorney general’s complaint, following a separate incident in January 2008 involving a stolen laptop form an employee’s trunk, Horizon issued a public statement that it had encrypted all of its computers and mobile devices. However, the division’s instigation found that more than 100 laptops assigned to employees weren’t encrypted.
“There are a wide range of factors that regulators take into account when deciding whether to commence an enforcement action, including but not limited to whether the company has a history of violating similar provisions,” Golding said. “Although HIPAA does not strictly require encrypting ePHI in all cases, companies should carefully evaluate the costs and benefits when implementing technical security safeguards,” he said.
New Jersey alleged that Horizon violated the New Jersey Consumer Fraud Act, HIPAA and HITECH. Settling the allegations in a Feb. 15 final consent judgment, Horizon agreed to pay $1.1 million, comprised of a $926,803.22 civil penalty, a $93,196.78 reimbursement of the state’s attorney fees and $80,000 to be used at the sole discretion of the attorney general for the promotion of consumer privacy programs. Additional $150,000 in civil penalties are suspended pending Horizon’s compliance with the judgment.
Deputy attorneys general Elliott M. Siebers and Russell M. Smith, Jr., and assistant attorneys general John M. Falzone III and Brian McDonough represented New Jersey. Jeffrey S. Chiesa of Chiesa Shahinian & Giantomasi P.C. and Theodore J. Kobus III and Eric Packel of Baker & Hostetler LLP represented Horizon.
Horizon didn’t respond to Bloomberg BNA’s phone call and e-mail requests for comments.
To contact the reporter on this story: Jimmy H. Koo in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Text of the final consent judgment is available at http://nj.gov/oag/newsreleases17/Horizon-Health-Care_Judgment.pdf.
Text of the complaint is available at http://nj.gov/oag/newsreleases17/Horizon-Health-Care_Complaint.pdf.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)