Category Archives: Health Care

Prevendra Privacy

Data Breaches again at Horizon Blue Cross Blue Shield New Jersey (Horizon BCBSNJ)

Prevendra - Horizon Blue Cross Blue Shield - Data breach 2013It seems health insurer Horizon Blue Cross Blue Shield New Jersey (Horizon BCBSNJ) can’t catch a break. During the course of 2015 (1100) and 2016 (170,000), they have had two more incidents which compromised or placed at risk the protected health information or the personal identifying information of their insured. In December 2013, we commented on how Horizon had suffered two separate data breaches in the course of five years (2013 and 2008) with the 2013 breach ending up affecting 839,711  individuals.

Privacy breach incident in 2016

Horizon BCBSNJ in late-October/early-November Horizon BCBSNJ informed approximately 170,000 of their insured, that they may have received the “explanation of benefits” (EOB) for someone else with the Horizon BCBSNJ system, and that their EOB may have also been mishandled. According to NJ.com, a vendor of Horizon BCBSNJ made a clerical or program error which caused a mix up which sent the individual EOB statements on their errant way to the Horizon BCBSNJ.  A statement attributed to the insurer is quoted as saying, “names, policy numbers and the physician information of other policy holders … and …  no social security numbers, financial information, addresses or dates of birth were included on the statements, (the letters) may include member name, member ID number, claim number, date of service, limited description of services, service codes or provider/facility name,”

For those familiar with reading EOB’s the description of service and service codes can be cross referenced to determine what ailment you were being treated for by the medical professional. Back in the day of ICD-9, the codes were very broad, but now that ICD-10 is in use, the descriptions and codes are much more granular. While this compromise, caused by a vendor error, may in the end not end up causing incidents of identity theft or fraud, what it did do is put very sensitive and personal PHI and PII in the hands of one’s neighbors (given all recipients were within the same geographic area served by Horizon BCBSNJ.)

Imagine showing up at a PTA meeting and introducing yourself, only to have an individual approach you afterwards and identify themselves as having received your EOB and then making an inquiry about your health, with the specificity provided within the EOB.

What's in your EOB? 170,000 of Horizon BCBS New Jersey are learning what's in their neighbor's EOB Click To Tweet

Fraud incident in 2015

In a poorly formatted, and densely worded statement,  Horizon BCBSNJ  said: “On July 30, 2015, we learned that some of our members’ personal information may have been accessed due to fraudulent activity.  Horizon BCBSNJ’s Special Investigations Unit discovered that several perpetrators falsely established themselves as doctors or other healthcare professionals and obtained Horizon BCBSNJ member identification numbers, and potentially other personal information, through methods typically only available to legitimate doctors and healthcare professionals.” The perpetrators went on to make false claims of BCBSNJ for goods and services provided to members of Horizon BSBSNJ’s insured population.  According to NJ.com, this fraudulent activity affected approximately 1100 of Horizon BCBSNJ’s insured.

The Horizon BCBSNJ compromised included the following data points:

  •  name
  • date of birth
  • gender
  • member ID number
  • mailing address.

They close ourt their statement with the admonishment, that the insured are the line of defense in protecting Horizon BCBSNJ against fraud. “As always, you should review your Explanation of Benefits (EOB) statements and medical bills, and report any suspicious activity to Horizon BCBSNJ.”


While Horizon BCBSNJ has had a non-stop string of privacy and information security incidents, they are not alone. All in the healthcare industry must lean in and ensure they have in place processes and procedures which adhere to the HIPAA physical and technical safeguards.

“HIPAA – Physical and Technical Safeguards”

Following is a direct extract from the Department of Health and Human Services HIPAA guidance

  • Physical Safeguards
    Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
    Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
  • Technical Safeguards
    Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
    Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
    Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.6
    Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.
Prevendra - Canada - Privacy breaches in Canadian health services

Insider Threat – Canadian privacy breached as PHI/PII goes missing in Manitoba

Patients in Manitoba are receiving notification from their healthcare providers, that their personal and sensitive information has been lost or inappropriately accessed. As all who have responsibility for the security of information, the insider threat is very real. Often times we associate the insider threat to be associated with the actions of nefarious individual. As you’ll read below, the breaches involved an employee wanting to update their contact list and a hard-copy file walking out of a locked and access controlled office.

In both instances, the health authorities have an excellent opportunity to heighten the awareness of all employees as to the sensitivity of individual patient records. The security and privacy awareness training should include special admonishment on the requirement to follow the principles of least privileged access. That is to say, only access that which you must in order to do your assigned duties and then return the information to its secure, at rest location. Carelessness and curiosity are two very real insider threats which all entities need to address to ensure the protection of sensitive and private information of the individual.

#Insiderthreat: Does your DLP protect against inappropriate access? #privacy #infosec #Canada Click To Tweet

Inappropriate Access

In mid-November 2016, the Winnipeg Free Press, reported that a former worker of  the Manitoba Health, Seniors and Active Living (MHSAL) broke the trust between the MHSAL and their constituency, when the individual took a peek into the confidential protected health information (PHI) records of approximately 197 individuals. The reason? The employee wanted to update her address book. The Manitoba Health Minister, Kelvin Goertzen said Monday his department has wrapped up an internal investigation and the employee has moved on to other opportunities, outside of the MHSAL.

Read the full article:  Private data breach ‘not nefarious’; former Health worker wanted to update contacts

A file goes for a walk

Separately,  the CBC reports that the Winnipeg Regional Health Authority (WRHA) is dealing with a data breach involving the the PHI and personal identifying information (PII) on over 1,000 people, when an administrative file was taken from a “locked” office inside Winnipeg Health Sciences Centre on Oct. 7.  Réal Cloutier, the WRHA’s vice-president and chief operating officer said, “We take our responsibility as a trustee of health information seriously and we expect that we protect that information, and unfortunately in this case we have a situation where information was taken.” (See video below).

Read the full article: File with 1,000 patients’ personal details taken from Winnipeg hospital

Data Breach – Horizon Blue Cross – two data breaches in five years

Looking for information about the 2016 mis-mailing of EOB’s to Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) members?  Read-> Data Breaches Again at Horizon BCBSNJPrevendra: Horizon Blue Cross Blue Shield data breach


Horizon Blue Cross Blue Shield of New Jersey – Two data breaches in five years.

[Updated 18 December 2013*]

Earlier this week 839,711 members of Horizon Blue Cross Blue Shield of New Jersey received an early lump of coal, news that their information had been compromised by their healthcare insurer.

The breach of 2013:  
The statement issued by Horizon noted two laptops were stolen from their offices between 1 and 4 November 2013, contained the personal identifying information (PII) and protected health information (PHI) of a number of Horizon Blue Cross Blue Shield insured. Interestingly they make a point to mention that the laptops were cable locked to the desks (a good physical security technique which actually does deter walk-by theft of devices, but is of little deference to the thief with time). Alas, while the physical security deterrent was in place, the technological protection of the data was not protected at standard healthcare data protection methods in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules (see below for the excerpt from the Health and Human Services (HHS) HIPAA site). The press piece goes on to say, “Horizon BCBSNJ continues to work with law enforcement to locate the laptops. To prevent a similar incident from happening in the future, Horizon BCBSNJ is strengthening encryption processes and enhancing its policies, procedures and staff education regarding the security of company property and member information.”

In each of the 2013 breach notification letters (Horizon Blue Cross has crafted three separate letters) the individual is provided with a wealth of data, including the admonishment: “If you identify medical services listed on your explanation of benefits that you did not receive, please contact us immediately.” Such is indicative of an understanding on the part of Horizon Blue Cross of the very real possibility of Medical Identity Theft.

The breach of 2008:
In  January 2008, InformationWeek magazine reported the data breach at Horizon BCBS of New Jersey involving yet another stolen laptop computer:

 “Horizon Blue Cross Blue Shield of New Jersey has notified its members that an employee laptop computer containing personal information — including Social Security numbers — for about 300,000 individuals was stolen in early January… On its Web site, the company says a “security feature was initiated” on Jan. 28 that “destroys all the data on the stolen computer.” Horizon Blue Cross Blue Shield of New Jersey says the personal information contained on the computer also included names and addresses of members, but no medical data.”

Event amnesia?
The Horizon spokesperson in 2008, quoted by Information Week, noted the existence of a “security feature” which destroys all the data on the stolen computer. Furthermore, the event of 2008, only involved PII and not PHI. Fast forward to 2013, and two laptops are stolen from within the offices. The information security team no doubt had appropriate policies in place to protect PII and PHI subsequent to the 2008 breach, but the implementation side of the equation appears to have encountered what many entities encounter, lack of situational awareness with respect to where and how PII and PHI, the crown jewels and most sensitive of data was stored.

Preventing the next breach?
Questions which immediately come to mind. Is Horizon Blue Cross or any other organization which handles PII and PHI able to scan across all devices to determine the existence of PII or PHI stored in an unprotected manner? Any number of  the commercial off the shelf (COTS) Data Loss Prevention software packages would have been less expensive than the breach remediation exercise in which they are now engaged.

The SANS Institute published a Data Loss Prevention worksheet (sponsored by McAfee and crafted in 2009), which would be of value to any and all entities which handle PII and/or PHI. Within the worksheet’s Executive Summary, the author of the worksheet notes;

Data-centric protections need to address data discovery and classification, incident workflow, policy creation/management and data movement detection. The breadth of the technology required to accomplish all of this is broad, covering:

  • Fully-integrated encryption for end points for data in use, in motion and at rest within applications (e-mail, file servers, etc.), including sensitive data transferred onto portable storage devices
  • Host-based DLP for localized detection and prevention of data leakage for data in use, data in motion, and data at rest
  • Network DLP with data discovery and analysis, network monitoring (with extensive protocol and application parsing support), and prevention capabilities for both inbound and outbound content

While it would be naive to think theft will ever be eradicated, that which can be stolen can certainly be mitigated. Horizon Blue Cross has been bitten by the same issue two times over the course of the past five years, theft of devices which contained sensitive data.  As noted in our discussion surrounding the recent compromise of 90,000 patient records by the University of Washington, Horizon Blue Cross is not alone. In Ponemon’s December 2012 report, “Third Annual Study on Patient Privacy,”  a sobering statistic was revealed: 94 percent of healthcare organizations in the study have had at least one data breach in the past two years.  More than million individuals face the reality of having to monitor and secure their identities, well beyond the one year of coverage provided by Horizon Blue Cross, as one’s identity has value 2, 3, 12, 25 years after having been stolen.

The takeaway for all healthcare providers, empower your Chief Security Officer (CSO) and Chief Information Security Officer (CISO) with sufficient resources to not only protect your infrastructure; but also to invest in employee education. Know where and how your data is stored on your network and employees devices. Far too often, healthcare security and awareness programs fall into the operational expense category of “nice to have.” Incidents such as the Horizon Blue Cross compromise, demonstrate the need for training and resourcing. Security is no longer in the nice to have category. Nor is security awareness training for those handling data just once and done, but must be a constant reminder that your patient’s information is precious and it is incumbent upon everyone to protect and secure the information. If you’re entity does not have a CSO or CISO, and many don’t, obtain the services of a Virtual CSO – have a professional security practitioner on your data security team.

[*Updated: 18 December 2013 – To remove attribution to Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ) for the data breach of 2009 which occurred at Blue Cross Blue Shield Association (BBSA) involving the compromise of the PII of 800,000-850,000 doctors. We thank Horizon Blue Cross Blue Shield of New Jersey, for reaching out to us, and providing clarification: BCBSA and BCBSNJ are independent entities.  //CB]

“HIPAA – Physical and Technical Safeguards”

Following is a direct extract from the Department of Health and Human Services HIPAA guidance

Physical Safeguards
Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

Technical Safeguards
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.6
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.