Another data disaster hit the news last week: Horizon Blue Cross Blue Shield of New Jersey had two Apple MacBook Pros containing personal information on nearly 840,000 subscribers stolen from its Newark, NJ, headquarters in November.
The computers were cable-locked to workstations, but the data on the computers was not encrypted, meaning names, addresses, dates of birth, Social Security numbers, and some clinical information were potentially compromised. Horizon says that password configurations may have rendered some of the information inaccessible—and director of public affairs Tom Rubino added, “Nothing leads us to believe that the computers were stolen for the information they contained, or that any member information has been used inappropriately.”
However, per the new HIPAA Omnibus Rule, all data breaches affecting more than 500 individuals must now be reported to the U.S. Health and Human Services (HHS), local media, and all affected patients. In addition to Horizon reporting the breach to those entities, the company is also offering free credit monitoring and identity theft protection services to any subscribers whose Social Security numbers were compromised.
Why Should Small Business Owners Be Concerned?
Beyond the implications of identity theft and credit fraud, the truth is that this data disaster could have easily been avoided. If the data on those two stolen MacBook pros had been encrypted, you and I wouldn’t be reading about this story. It will probably take months before the HHS Office of Civil Rights decides whether to act against Horizon Blue Cross Blue Shield. But if civil or criminal penalties are levied, you can bet company executives will be wishing they had taken data encryption more seriously.
How can your business avoid a similar situation and maintain the trust and reputation you’ve built with your customers? Here are three strategies that will help your company be better prepared:
1) Encrypt all protected health information (PHI)—and all data for that matter—contained on all systems. Theft can’t always be prevented; after all, Horizon Blue Cross Blue Shield suffered the aforementioned loss of cable-locked hardware when their facilities were closed for the weekend. That makes data encryption, especially of sensitive information like health records, so critical. Encryption is the only way to avoid liability and embarrassment.
2) Revisit all policies, procedures, and staff training initiatives. Although it appears that Horizon Blue Cross Blue Shield employees followed protocol in this situation, a different set of policies—those requiring data encryption, for instance—could have resulted in a much different outcome.
3) Have a trusted IT professional run a security audit. CMIT Solutions understands regulatory requirements like those contained in the new HIPAA Omnibus Rule. Unsure whether these apply to your company? Call or email us today so we can assist you in becoming fully compliant—and avoiding possible industry repercussions for non-compliance.
Remember that old saying, “An ounce of prevention is worth a pound of cure”?
Contact us today to find out how it could save you from a potentially embarrassing and costly situation like the one suffered by Horizon Blue Cross Blue Shield. For more information, free compliance resources, and other HIPAA-related horror stories, visit www.CMITHIPAA.com.