New Jersey Blue Cross Blue Shield (BCBSNJ) recently made news as word of one lost employee laptop spread like wildfire through the health care community and press, adding BCBS to a long list of payers and physicians who have been forced to disclose the loss of computer hardware containing patients’ personal information.
Legal Duty of Disclosure
First, BCBSNJ’s plight reminds us of the significant cost associated with losing unprotected hardware. In accordance with New Jersey law (N.J.S.A. § 56:8-160, et seq.), BCBSNJ provided written notice to more than 300,000 patients whose personal information may have been contained on the lost laptop.
Under New Jersey law, BCBSNJ was also required to notify the New Jersey Department of Law and Public Safety, which has the statutory obligation of referring the matter for investigation in appropriate situations. Moreover, BCBSNJ had the obligation of notifying the major credit reporting agencies of the data breach and has also agreed to incur expenses arising from securing credit monitoring for all affected patients.
At the end of the day, one lost computer has likely caused BCBSNJ to incur more than one million dollars in out-of-pocket costs, not to mention the substantial intangible losses that BCBSNJ will suffer as a result of this very public and embarrassing episode.
Second, it is noteworthy that BCBSNJ took precautions to protect its data, yet it may have taken the wrong precautions.
The data on BCBSNJ’s lost laptop was apparently password-protected. Moreover, the program required to access the protected data was timed to expire within days of its loss. Nevertheless, these safeguards are probably not legally adequate to avoid the necessity of public disclosure.
The notification obligations under New Jersey law are triggered when a company discovers that its computerized records containing personal information have actually or likely been accessed by an unauthorized third party. While there is some ambiguity in the law, it appears that the loss of a company’s computer hardware containing personal information regarding its clients will almost always trigger the reporting obligations unless the data is encrypted.
Encryption: The Solution
Data encryption involves the use of an algorithm to convert data into a form that is unreadable to anyone who lacks a decrypting software key to access the data. A company can encrypt its clients’ personal information easily without impairing the speed or efficiency of its applications. Also, encryption software is inexpensive; in fact, there is free, open source encryption software available.
Encryption is the ‘silver bullet’ under the data breach notification law in New Jersey and similar laws in many other states. According to IT professionals and lawmakers, encrypted data is not reasonably accessible even if the hardware on which it is located is lost. Therefore, a company that loses a laptop containing personal information does not have an obligation to notify the public if the personal information is encrypted.
The Legal Risk on Erring on the Side of Non-Notification
In this litigious era, replete with class action lawyers eager to obtain counsel fees that far exceed the damages of individual plaintiffs, a medical practice is taking a great risk if it does not properly notify its patients when it loses control over hardware containing unencrypted personal data.
New Jersey’s data breach notification law falls under the umbrella of New Jersey’s Consumer Fraud Act. Hence, a medical practice’s violation of New Jersey’s data breach notification law subjects it to the significant penalties contained in the New Jersey Consumer Fraud Act, including the requirement to pay an aggrieved patient three times his or her actual damages. Moreover, if a patient proves that a medical practice failed to appropriately provide notice of a breach, the New Jersey Superior Court will award attorney’s fees and costs to the patient and this amount could very likely exceed his or her award of damages.
While encryption is fundamental to securing confidential data, a company should always employ a multi-faceted, layered security approach including such things as well-reasoned standard operating procedures, access controls and physical safeguards. With encryption as the cornerstone, a company can avoid the possibility of incurring the significant monetary and intangible costs that accompany the loss of client or patient data.
Disclaimer: The information contained within the MTBC® Learning Center is provided for general educational and informational purposes only and should not be construed as legal advice. The author of the Learning Center does not represent the Web site user or the individual submitting a particular question. Please seek the advice of legal counsel to address any specific questions you may have regarding your particular facts or circumstances