Connecticut Attorney General Richard Blumenthal is criticizing the Blue Cross and Blue Shield Association's response to the theft of an employee's personal laptop computer loaded with a directory of as many as 850,000 providers across the U.S.
Blumenthal is investigating whether the association and its local member plans violated Connecticut laws requiring that companies secure personal information and quickly disclose breaches. Nearly 19,000 Connecticut providers were listed in the stolen directory, according to a news release from his office.
The computer went missing when an employee's car was burglarized in late August, and providers were notified in October. “As appalling as the data loss, equally alarming and potentially illegal is the delay in disclosing it,” Blumenthal said in the release. He said he would push the companies to offer two years of free identify-theft protection to the providers included in the breach.
Blue Cross and Blue Shield spokesman Jeff Smokler said only about 18% of the listings included Social Security numbers, which some providers use as their national provider identification. “We're certainly sensitive to the attorney general's comments and are looking carefully at all the issues he raises to make sure the remediation works even better,” Smokler said.
The database is maintained by the association for the BlueCard program, which allows members to seek care with Blues providers when they travel out of state. The employee whose car was broken into had transferred the unencrypted directory onto a private computer in order to do a weekly update, Smokler said. “Within days we had begun the outreach with the individual plans,” he said. “I think we took the appropriate measures to protect providers adequately.”