Horizon Healthcare to Pay N.J. $1.1M Over Stolen Laptops

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

New Jersey-based insurance provider Horizon Healthcare Services Inc. agreed to pay the state $1.1 million to settle allegations that the theft of two laptops compromised the privacy of some 690,000 policyholders ( Jespersen v. Horizon Healthcare Servs., Inc. , N.J. Super. Ct. Ch. Div., No. C-12-17, final consent judgment 2/15/17 ).

Without admitting any wrongdoing, the insurance company—doing business as Horizon Blue Cross Blue Shield of New Jersey—also agreed in the Feb. 15 final consent judgment filed in the Superior Court of New Jersey to improve its data security practices and implement a corrective action plan, including hiring a third party to conduct risk analysis. The agreement was made public Feb. 17 by the New Jersey Office of the Attorney General.

Horizon offers a variety of health insurance plans to more than 3.7 million New Jersey residents, according to a Feb. 14 state court complaint, filed by the Office of the New Jersey Attorney General’s Division of Consumer Affairs.

Unencrypted Data

According to the complaint, the laptops were stolen in November 2013 from Horizon’s Newark, N.J., headquarters when someone cut the cables securing the computers to a desk. Investigation by the Division of Consumer Affairs found that during the weekend that the laptops were stolen, employees from outside vendors renovating the headquarters had unsupervised access to the area where the laptops were stolen.

Even though the policyholder data contained in the stolen laptops was password protected, the information wasn’t encrypted as required under the Health Insurance Portability Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), the complaint alleged. Furthermore, the complaint said, Horizon’s failure to encrypt the data violated is own corporate policy that required all company-issued laptops to contain encryption software.

Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs (US) LLP in Washington, told Bloomberg BNA Feb. 17 that the “HIPAA Security Rule makes encrypting electronic protected health information (ePHI) an ‘addressable’ standard.” Golding said that “addressable” doesn’t mean “optional.”

The standard requires companies to encrypt ePHI if it is “reasonable and appropriate in light of the company’s risk assessment and, if not, implement an alternative security measure,” he said.

According to the attorney general’s complaint, following a separate incident in January 2008 involving a stolen laptop form an employee’s trunk, Horizon issued a public statement that it had encrypted all of its computers and mobile devices. However, the division’s instigation found that more than 100 laptops assigned to employees weren’t encrypted.

“There are a wide range of factors that regulators take into account when deciding whether to commence an enforcement action, including but not limited to whether the company has a history of violating similar provisions,” Golding said. “Although HIPAA does not strictly require encrypting ePHI in all cases, companies should carefully evaluate the costs and benefits when implementing technical security safeguards,” he said.

New Jersey alleged that Horizon violated the New Jersey Consumer Fraud Act, HIPAA and HITECH. Settling the allegations in a Feb. 15 final consent judgment, Horizon agreed to pay $1.1 million, comprised of a $926,803.22 civil penalty, a $93,196.78 reimbursement of the state’s attorney fees and $80,000 to be used at the sole discretion of the attorney general for the promotion of consumer privacy programs. Additional $150,000 in civil penalties are suspended pending Horizon’s compliance with the judgment.

Deputy attorneys general Elliott M. Siebers and Russell M. Smith, Jr., and assistant attorneys general John M. Falzone III and Brian McDonough represented New Jersey. Jeffrey S. Chiesa of Chiesa Shahinian & Giantomasi P.C. and Theodore J. Kobus III and Eric Packel of Baker & Hostetler LLP represented Horizon.

Horizon didn’t respond to Bloomberg BNA’s phone call and e-mail requests for comments.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

For More Information

Text of the final consent judgment is available at http://nj.gov/oag/newsreleases17/Horizon-Health-Care_Judgment.pdf.

Text of the complaint is available at http://nj.gov/oag/newsreleases17/Horizon-Health-Care_Complaint.pdf.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.