Theft of Laptops from Major Insurance Firm Stirs Security Concerns

Andrew Kitchenman | January 28, 2014 | Health Care
Horizon investigates November incident, which potentially compromised privacy of 800,000 customers

Greg Barnes, John Leyman and Denise O'Connor of Horizon Blue Cross Blue Shield testify about the theft of two laptop computers containing personal information about more than 800,000 customers.
Horizon Blue Cross Blue Shield of New Jersey laptops with members’ personal information have been stolen — for the second time in five years — and state legislators are demanding to know why and how it happened again.

Company officials were met yesterday with a barrage of questions from members of a state Senate committee. The officials failed to provide detailed answers to many of the questions, citing ongoing investigations and lawsuits.

The theft, which occurred on the weekend between November 1 and November 4 of last year, involved two laptops that were password-protected but not encrypted. The computers contained information about 839,711 Horizon members; information about some of those members included Social Security numbers and limited clinical information.

Horizon officials, who announced the theft on December 6, have said that there has been no indication that any identity theft resulted from the incident. The company offered those who were affected one year of free identity-theft monitoring.

The lack of encryption violated a Horizon policy that any member information on company computers be encrypted. The company has hired outside computer forensic experts to investigate the incident.

In 2008, another non-encrypted laptop containing the personal information of 300,000 customers was stolen from a Horizon employee. The company said after that incident that additional steps had been taken to secure member information on computers.

Health, Human Services and Senior Citizens Committee Chairman Joseph F. Vitale (D-Middlesex) said computer security experts have told him that they were perplexed that the information on the computers wasn’t encrypted. In addition, they found it to be “very sloppy” that employees had downloaded member information onto the laptops rather than working with the information on a company server, Vitale said.

“It would have saved everyone a lot of aggravation,” if they had been encrypted, he said.

Sen. Fred H. Madden Jr. (D-Camden and Gloucester), a former state police investigator, asked Horizon director of information security Greg Barnes whether company laptops still have members’ data stored on them. When Barnes said he couldn’t answer due to the ongoing investigation, Madden said: “My suspicions are that if the answer was ‘no,’ you have said ‘no.’ ”

When Madden asked what the company had done since November to improve its security, Barnes said the company has been working to improve its encryption policy.

Madden replied that it would be more reassuring if the response was that the company had taken steps to prevent member information from being downloaded onto the laptops again.

“The reality is, to be quite frank, it basically seems that the people are just as potentially exposed today as they were on the weekend of November 1,” Madden said.

John Leyman, Horizon’s director of government affairs, emphasized that the investigation and lawsuits made it difficult to reveal more information. Barnes did add that company officials “believe” all laptops are now encrypted.

Sen. Robert W. Singer (R-Monmouth and Ocean) expressed frustration that the company would still have any unencrypted laptops five years after an earlier theft revealed a potential danger. Barnes said the outside forensic consultant would examine how this occurred.

Leyman said that it would be difficult for someone other than employees using the laptops to know what information was on the computers and that company officials think they were stolen due to the value of the machines, not the information they contained.

Vitale said a letter Horizon sent to members discounted the possibility that the thieves were seeking member information.

“It is the worst-case scenario, but it’s not unlikely that that’s the reason that it happened,” Vitale said.

Sen. Richard J. Codey, a committee member, expressed frustration that the company officials couldn’t provide more information about how the thefts occurred.

“Obviously, it’s scary to all of us, when – with a company like yours – you have Social Security numbers, so forth and so on, (member) addresses, and then some incredibly sensitive medical information that no one would want exposed to the public,” said Codey, adding that he was more concerned about the risk that company computers could be hacked than the risk of more thefts of computers.

Vitale said the committee will submit further questions to Horizon, seeking more detailed answers.