It seems health insurer Horizon Blue Cross Blue Shield New Jersey (Horizon BCBSNJ) can’t catch a break. During the course of 2015 (1100) and 2016 (170,000), they have had two more incidents which compromised or placed at risk the protected health information or the personal identifying information of their insured. In December 2013, we commented on how Horizon had suffered two separate data breaches in the course of five years (2013 and 2008) with the 2013 breach ending up affecting 839,711 individuals.
Privacy breach incident in 2016
Horizon BCBSNJ in late-October/early-November Horizon BCBSNJ informed approximately 170,000 of their insured, that they may have received the “explanation of benefits” (EOB) for someone else with the Horizon BCBSNJ system, and that their EOB may have also been mishandled. According to NJ.com, a vendor of Horizon BCBSNJ made a clerical or program error which caused a mix up which sent the individual EOB statements on their errant way to the Horizon BCBSNJ. A statement attributed to the insurer is quoted as saying, “names, policy numbers and the physician information of other policy holders … and … no social security numbers, financial information, addresses or dates of birth were included on the statements, (the letters) may include member name, member ID number, claim number, date of service, limited description of services, service codes or provider/facility name,”
For those familiar with reading EOB’s the description of service and service codes can be cross referenced to determine what ailment you were being treated for by the medical professional. Back in the day of ICD-9, the codes were very broad, but now that ICD-10 is in use, the descriptions and codes are much more granular. While this compromise, caused by a vendor error, may in the end not end up causing incidents of identity theft or fraud, what it did do is put very sensitive and personal PHI and PII in the hands of one’s neighbors (given all recipients were within the same geographic area served by Horizon BCBSNJ.)
Imagine showing up at a PTA meeting and introducing yourself, only to have an individual approach you afterwards and identify themselves as having received your EOB and then making an inquiry about your health, with the specificity provided within the EOB.
Fraud incident in 2015
In a poorly formatted, and densely worded statement, Horizon BCBSNJ said: “On July 30, 2015, we learned that some of our members’ personal information may have been accessed due to fraudulent activity. Horizon BCBSNJ’s Special Investigations Unit discovered that several perpetrators falsely established themselves as doctors or other healthcare professionals and obtained Horizon BCBSNJ member identification numbers, and potentially other personal information, through methods typically only available to legitimate doctors and healthcare professionals.” The perpetrators went on to make false claims of BCBSNJ for goods and services provided to members of Horizon BSBSNJ’s insured population. According to NJ.com, this fraudulent activity affected approximately 1100 of Horizon BCBSNJ’s insured.
The Horizon BCBSNJ compromised included the following data points:
- date of birth
- member ID number
- mailing address.
They close ourt their statement with the admonishment, that the insured are the line of defense in protecting Horizon BCBSNJ against fraud. “As always, you should review your Explanation of Benefits (EOB) statements and medical bills, and report any suspicious activity to Horizon BCBSNJ.”
While Horizon BCBSNJ has had a non-stop string of privacy and information security incidents, they are not alone. All in the healthcare industry must lean in and ensure they have in place processes and procedures which adhere to the HIPAA physical and technical safeguards.
“HIPAA – Physical and Technical Safeguards”
Following is a direct extract from the Department of Health and Human Services HIPAA guidance
- Physical Safeguards
Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
- Technical Safeguards
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.6
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.