Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has settled a data breach that affected approximately 690,000 New Jersey residents. This data breach was noted on this blog not too long ago: In January, the Third Circuit Appellate Court declared that a lawsuit against the insurer could proceed because the "improper disclosure" of personal data is a violation of FCRA.
That is, if unauthorized people gain access to personal information via a data breach, it is in violation of federal regulations concerning credit reports (which businesses use to vet out people, be they employees, potential clients, etc).
As it turns out, concurrent to the above legal toil, Horizon BCBSNJ was being investigated by the Department of Health and Human Services. In the end, the company decided to settle for $1.1 million (that's $550,000 per stolen computer). And, the report accompanying the settlement uncovered more details on what happened.
The data breach occurred when two Macintosh laptops were stolen from the eighth floor of Horizon BCBSNJ's offices. These computers were password-protected but not encrypted. They were tied to their desks using security cables. There was no additional security.
Which is odd because all Macs since the early 2000's came with FileVault, Apple's free encryption software for computers. Why was this not used? After all, it's free and doesn't impact a Mac's performance when turned on.
It turns out that the insurer's IT department didn't know these two computers were out there. In fact, these two and 100+ more laptops did not show up on the IT department's radar because they "had been obtained outside of the company's normal procurement process."
This is understandable. Not excusable, mind you, but understandable. Keeping track of inventory is one of those impossible quests. Even the military fails at it, and they're trying to account for dangerous stuff. Like warheads. That laptops are not accurately inventoried should not come as a surprise.
Of course, it's because of reasons like these that IT departments generally tend to secure a device before it's released into the wild. In the earlier half of this decade, people were still arguing that one should conduct an investigation into how a machine would be used, who would be using it, what kind of information would be stored in it, etc., and then decide what type of security to install on it, if any.
Others pointed out that that particular approach is a pipe dream because nothing ever happens the way it should (aka, a variation of Murphy's Law). Time has shown again and again that the cynical outlook is the correct one when dealing with the real world.
Which brings us to Oops #2: it turns out that the laptops at the center of the data breach belonged to employees who were not supposed to be handling protected health information (PHI). And yet, these laptops contained PHI. Murphy strikes again.
You've got to feel it for Horizon BCBSNJ: they had implemented encryption across all machines after the company had experienced a data breach that involved a stolen laptop with sensitive information. They had announced the completion of that particular security project in May 2008. They had taken the time to encrypt both laptops and desktop computers.
And, five years later, the company fell victim to what is essentially the same problem: a data breach borne from laptop theft.
But, this is the wrong way to look at the situation. Not being privy to Horizon BCBSNJ's internal data, the following can only be speculation, but they've probably averted a great deal of similar data breaches since 2008. After all, laptops are lost and stolen quite frequently, and the company does have over 5000 employees. And, the bigger the organization you are, the greater the probability (some might say certainty) that you'll be missing a laptop each year. That the insurer did not have to report a data breach, stemming from a missing computer, until 5 years later is, in a weird way, something to be congratulated on.
As security professionals say, there is no perfect security. You can only minimize, as much as you can, the chances of being affected by a data breach. Horizon BCBSNJ could have done better, obviously. But knowing now what we do about the incident, and considering what we've seen in the data security field in the past 10 years, it could be argued that the insurer did a pretty good job (with room for improvement).