It’s been a tough couple of months when it comes to data breaches and plan member privacy violations for Horizon Blue Cross and Blue Shield.

Last Friday the New Jersey Division of Consumer Affairs announced that Horizon has agreed to pay a $1.1 million fine and tighten up its data security procedures stemming from a 2013 incident in which the personal information of about 690,000 plan members was exposed because of the theft of two laptop computers.

The state fined Horizon for various violations of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, which ensures patient confidentiality in medical records. The stolen data included plan members’ names, addresses, birth dates, insurance information  and in some instances Social Security numbers and medical records, says  New Jersey Division of Consumer Affairs director Steve Lee.

The theft of the laptops occurred in November 2013 at Horizon’s Newark headquarters where an individual cut the cables that secured the laptops to a pair of desks. In part the New Jersey Division of Consumer Affairs fined Horizon because the data on the laptops was password-protected but not encrypted as required by HIPAA.

During the weekend in November 2013 when the laptops were stolen, “numerous personnel for outside vendors performing renovations and moving services had unsupervised access to the areas where the laptops were located.” Following a 2008 incident in which another laptop was stolen from an employee’s car trunk, Horizon mandated that all laptop computers be encrypted, the state says.


But the state’s investigation concluded that more than 100 laptops assigned to employees were not encrypted. The majority of the unencrypted computers had been obtained outside of the company’s normal procurement process, and thus were not detected by Horizon’s corporate information technology department. As such, the investigation found that the Horizon information technology department “did not adequately monitor, service, or install security software required by corporate policy on those laptops,” says the New Jersey Division of Consumer Affairs.

Horizon has agreed to a $1.1 million monetary settlement comprised of a $926,803 civil penalty, a $93,196 reimbursement of the state’s attorney fees and investigative costs, and $80,000 to be used at the discretion of the New Jersey Attorney General for the promotion of consumer privacy programs and/or the enforcement of consumer privacy initiatives.

“Protecting the personal information of policyholders must be a top priority of every company,” Lee says.  “Horizon Blue Cross Blue Shield alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft and this settlement ensures that Horizon will maintain appropriate data privacy and security protocols to prevent future data breaches.”

For its part Horizon says it will do a better job going forward safeguarding sensitive electronic information. “While it is reassuring that not a single confirmed incident of identity theft is traceable to the two stolen laptops, Horizon remains vigilant in protecting our members’ privacy through consistent attention to and significant investment in our physical and cyber security practices,” says a Horizon spokesman. “Horizon takes seriously our responsibility to comply with consumer protection and privacy laws and strives every day to earn the trust of our 3.8 million members by safeguarding their personal information.”


The incident cited by the New Jersey Division of Consumer Affairs wasn’t the plan’s latest breach of plan member privacy. On Nov. 2, a Horizon vendor discovered a printing error that caused certain Horizon plan members and healthcare professionals to receive explanation of benefits statements and explanation of payment statements that included information intended for a different member or provider health care professional. Horizon says it was “made aware of the incident that same day and processing was immediately suspended.”

The printing error exposed the members’ names, addresses, birth dates, and insurance information and in some instances Social Security and medical records of about 170,000 plan members. Horizon says it has put corrective measures in place and is monitoring the information of the impacted plan members.