Nearly 840,000 Horizon Blue Cross Blue Shield subscribers are being notified that their personal information may have been contained on a pair of laptops that were stolen from the insurer’s Newark headquarters last month.
The stolen laptops were password-protected, but had unencrypted data, Horizon said in a statement today. A subsequent investigation determined the computers may have contained files with personal information, including names, addresses, dates of birth and, in some instances, Social Security numbers and "limited clinical information," the insurer said.
The theft occurred during the weekend of Nov. 1 and was reported to the Newark Police Department on Monday, Nov. 4, Horizon said. At the time they were stolen, the computers were cable-locked to employee workstations.
According to a police report obtained by The Star-Ledger, the cable-locks apparently were "tampered with and damaged" in the incident, which took place on the eighth floor of 3 Penn Plaza. The laptops were MacBook Pros, the report said.
Because of the way the computers were configured, it’s not clear whether all of the member information was accessible, said Horizon, New Jersey’s largest health insurer, with more than 3 million subscribers.
"After discovering the theft, we acted quickly to engage law enforcement and notify and protect all members who may have been affected," Tom Rubino, director of public affairs at Horizon, said in a statement.
"Nothing leads us to believe that the computers were stolen for the information they contained or that any member information has been used inappropriately."
Carl Herberger, vice president at Radware, a cybersecurity firm that has its U.S. headquarters in Mahwah, said it is hard to know "how many alarm bells we should ring" without knowing the motive for the theft.
"Until we know the motive and we know the perpetrators, it’s really conjecture," he said
But he said it increasingly has become the case in which electronics are stolen not for the assets themselves, but for the data they contain, which can be monetized or used for other purposes. Herberger also said it is a "little unusual in today’s environment" for sensitive data to not be encrypted.
Horizon also has notified federal and state agencies, including the state Department of Banking and Insurance, the U.S. Department of Health and Human Services, and the state Division of Consumer Affairs, Rubino said.
The subscribers whose Social Security numbers were affected are being offered free credit monitoring and identity theft protection services, Horizon said.
The insurer also said it is strengthening its encryption processes and beefing up its policies, procedures and staff education.
This isn't the first time Horizon has had to notify customers of a breach because of a stolen computer. In 2008, it alerted 300,000 people about a theft of a laptop in Newark that contained their personal information.
At the time, the company said the laptop had been programmed to destroy the customer information soon after the theft occurred. In that incident, there was no indication of any misuse of the customer information.