The state attorney general is demanding Anthem Blue Cross Blue Shield of Connecticut provide more answers and identity-theft protection for nearly 19,000 health professionals whose confidential data was on a stolen laptop computer.
Attorney General Richard Blumenthal, at a press conference today, said Anthem and one of its Blue Cross Blue Shield affiliates may have broken the law after they failed to immediately notify the affected doctors, therapists and other professionals whose information was in the laptop when it disappeared last August outside Chicago.
Anthem waited until late October to notify the victims, the attorney general said.
He said Anthem may have violated Connecticut laws requiring that companies fully secure sensitive data and that, once lost or stolen, they immediately notify owners of the data about the breach.
“As appalling as the data loss, equally alarming and potentially illegal is the delay in disclosing it,” Blumenthal said. “We are vigorously investigating this appalling data loss, needlessly exposing more than 18,000 Connecticut doctors and professionals to devastating identity theft.”
Blumenthal also wants Anthem to double its offer of one year of identity-theft protection to the victims.
“I will fight for at least two years,” he said.
Jeff Smokler, a spokesman for the Blue Cross and Blue Shield Association (BCBSA), said the data was stolen from the vehicle of a BCBSA employee’s personal laptop in Chicago.
He said that employee broke company protocol by putting unencrypted information onto his personal laptop, so that he could take home work over the weekend.
Someone then broke into that employee’s vehicle and stole the laptop.
Smokler said the employees “intentions were honest,” and that all indications are that this was a random theft. Two other vehicles in the same vicinity were broken into that night as well, and the theft was reported to the Chicago Police Department.
Smokler said the company has taken corrective action against the employee, but would not say if he or she was fired.
In a statement, Anthem Blue Cross and Blue Shield said “it takes very seriously its obligation to protect the personal information of members and providers.”
“Between the date of our notice from the Blue Cross and Blue Shield Association and the date of Anthem’s mailing to Connecticut providers, we believe we acted with all due diligence in order to minimize unnecessary delay of our notice to providers,” the company said. “Letters were mailed only after we determined who may have been impacted so as to minimize unnecessary confusion and alarm. In addition, credit monitoring arrangements were made for approximately 18,000 providers, credit monitoring subscription codes were entered into each provider notice letter and customer service and provider representatives were trained so that provider calls could be handled accurately.”
Blue Cross also said it has extended credit monitoring for affected customers for up to two years.
