This past week, the Boston Globe wrote about a data breach incident at Blue Cross Blue Shield of Massachusetts that occurred in August of this year and where the affected population of people is just now being notified. The breach, which included social security numbers, included over 39,000 physicians and healthcare providers in Massachusetts.
“It took some time to figure out what type of data was on the laptop,’’ said Tara Murray, Blue Cross and Blue Shield of Massachusetts spokeswoman. “There is no reason to be believe the data has been used to steal people’s identity, but we are just being cautious . . . to notify them and offering free credit monitoring.’’
The Boston Globe reported that:
“Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant – roughly 90 percent of physicians nationwide are in its network – encrypts all of its information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The laptop was stolen after the employee left headquarters with it.”
It is nice to see Blue Cross-Blue Shield taking the high ground and notifying the affected individuals and providing them with a modicum of protection, given that their analysis didn’t lead to a high level of concern that the information would be misused.
The recently enacted HITECH Act requires that healthcare organizations notify individuals, Health and Human Services (HHS) and the public (via press release or other visible medium) for data breaches that exceed 500 individuals. HHS Interim Rules only mandate notification if an internal risk assessment concludes that there is significant risk of financial, reputational or other harm. Given how “squishy” this harm threshold is, it is prudent for organizations to notify under most circumstances.
This case also exemplifies how the majority of data breach incidents are not due to cybercrime, and related external threats, as is often believed, but are more often caused by a accidental (or intentional) failure by employes to follow internal policies and practices, or in other cases situations where there is a the intent on the part of an employee to perpetrate fraud using their access to personal information. But in either case, the internal rather than the external threat.