Horizon Healthcare Services Inc., a health insurance company doing business as Horizon Blue Cross Blue Shield of New Jersey that insures more than 3.7 million New Jersey residents, recently entered into a consent judgment under which it agreed to pay a $1.1 million settlement to the state to resolve a data breach that affected 690,000 policyholders.
A February 14 complaint filed in Superior Court by the state Attorney General’s Division of Consumer Affairs alleged that Horizon had failed to protect its members’ electronic protected health information (ePHI), in violation of HIPAA rules, and accused Horizon of “unconscionable business practices.” Although HIPAA rules are typically enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights, state attorneys general are empowered to enforce them on behalf of states. The complaint also alleged violations of the New Jersey Consumer Fraud Act.
The breach arose out of the theft of two laptop computers from Horizon’s offices in November 2013. The Division of Consumer Affairs’ investigation revealed that workmen renovating Horizon’s headquarters had had unsupervised access to the area from which the laptops were stolen. The complaint alleged that the policyholder data in the laptops was password-protected but not encrypted, and that Horizon’s failure to encrypt the data violated is own corporate policy applicable to company-issued laptops. Furthermore, the complaint pointed out that Horizon publicly claimed to have encrypted all of its mobile devices after a previous laptop theft in 2008, but the Division’s investigation found that more than 100 of Horizon’s employees’ laptops were not encrypted.
As part of the settlement, Horizon agreed to implement a corrective action plan, including hiring a third party to conduct a risk assessment, and improve its data security practices.