The Connecticut Attorney General has requested more information from Blue Cross Blue Shield in order to determine if BCBS violated Connecticut law and acted in an unfair and deceptive manner because it waited TWO MONTHS TO NOTIFY RESIDENTS OF A BREACH.

According to Hunton & Williams,

“[t]he data contained on the stolen laptop included the names, addresses and Taxpayer Identification Numbers of approximately 19,000 health care providers in Connecticut.  The breach also involved thousands of Social Security numbers (“SSNs”), since an estimated 16-22% of individual health care providers use their SSNs as Taxpayer Identification Numbers.

Attorney General Blumenthal called “one of the most sizable and significant in Connecticut’s history,” involved the theft of a laptop containing confidential unencrypted data from the car of a BCBS employee in late August.  BCBS notified affected Connecticut residents of the breach in late October.”

The Attorney General needs to decide, as an initial regulatory decision, whether, in terms of protecting the citizens of the State of Connecticut, the delay was reasonable.

The answer is rather simple, really.   The starting point for the decision needs to be that any delay is unreasonable. That is, the instant that the data was compromised, the potential for harm had begun.  BCBS needs, therefore, to justify a reasonable reason why it was putting citizens’ financial security at risk.

The only reasonable excuse, the only possible rationale that can be justified is that BCBS could not determine who should be notified.  Even then, a notification should have been forthcoming to all potential victims.

What other reasonable excuse could there possibly be?  Pray tell?

Does your organization have a data breach protocol?  Isn’t it about time?

Popularity: 32% [?]

Related posts:

1. Blue Cross Blue Shield in the Data Breach Crosshairs BCBS of Tennessee is reporting a breach effecting 2 million individual. BCBS...
2. New Massachusetts Privacy Laws – Breach Notification Requirements [Updated October 15, 2009 for compliance with new amendments to the regulations]...
3. New Hampshire’s new breach notification law effective on 01/01/2010 New Hampshire’s new breach notification law builds on the breach notification requirements...
4. HITECH Breach Notification Interim Final Rule HHS issued regulations requiring health care providers, health plans, and other entities...
5. CT: AG sues Health Net over data breach Following a security breach involving health information, social security numbers and bank...
6. AU: Data breach notification legislation may be in the offing Australian businesses may soon be forced to tell their customers if their...