Connecticut AG Investigating Blue Cross Breach

The headaches for Blue Cross Blue Shield continue—most recently, in the way of an investigation from Connecticut Attorney General Richard Blumenthal on the company’s handling of a data breach this summer. The company’s trouble began Aug. 25, when somebody stole a laptop from an employee’s car in Chicago, where the company is headquartered. That laptop included names, addresses, tax identification and provider numbers, and some Social Security numbers for 850,000 Blue Cross Blue Shield providers across the country.

Now, as Informationweek.com points out in a recent update, the office has suggested Blue Cross Blue Shield and affiliates “may have violated state law by losing the information and failing to notify providers in a timely manner.” According to Informationweek.com’s article, the company took two months to inform the parties affected by the breach.

A spokeswoman for the Anthem Blue Cross and Blue Shield defended the company’s actions in an earlier interview with the Connecticut Post, saying that the network attempted to reach affected professionals in an expedited manner. A company spokesman told Informationweek.com the company notifying 39 independent licensees “within days.” Initially, the company offered a year’s worth of free credit monitoring to the individuals, but has extended that offer to two years. Though the incident affected health care providers’ nationwide, Blumenthal’s investigation only pertains to the 18,817 from Connecticut.

A little big of good news for those whose Social Security numbers may have been among those exposed—the SSNs weren’t labeled as such, according to the spokeswoman quoted by Informationweek.com. Nevertheless, that doesn’t totally eliminate the risk of such a data exposure.

The takeaway? First, it’s important not to simply pay data security policies mere lip service but to follow them—apparently the employee’s decision to take the confidential information home with her was a violation of Blue Cross Blue Shield protocols. Second, it’s important to make sure any confidential information is encrypted (the stolen Blue Cross Blue Shield information was not).