850,000 doctors could be hit by potential data breach from insurer's stolen laptop
■ A missing computer belonging to a BlueCross BlueShield Assn. employee also includes Social Security numbers of more than 100,000 physicians -- and all the data are unencrypted.
By Emily Berry — Posted Oct. 6, 2009
- WITH THIS STORY:
- » Clarification
- » Related content
A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. It is not yet known whether any identity theft has resulted from the data breach.
The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors, Jeff Smokler, spokesman for the Chicago-based Blues association, said Oct. 6. That number represents every physician who is part of the BlueCard network, which allows Blues members to access networks in other states, Smokler said.
Some 16% to 22% of those physicians listed -- as many as 187,000 -- used their Social Security numbers as a tax ID or NPI number, Smokler said.
The association updates its file of BlueCard network physicians weekly, Smokler said. An unidentified employee downloaded the unencrypted file onto his personal computer to work on it at home, a practice that is against company policy, he said.
"We are re-evaluating that protocol and how we prevent this from happening again," Smokler said.
Smokler said the laptop was stolen from the employee's car Aug. 27. He said Chicago police had been notified of the theft, but the computer had not been recovered as of Oct. 7.
The association has made its member plans responsible for notifying network physicians of the breach. The association is offering 12 months of credit monitoring automatically for those physicians whose Social Security numbers were included in the file, and for any other physicians who request the service through their local Blues plan, Smokler said. (See Clarification)
"It was a mistake, an unfortunate mistake, but the association and plans involved have moved swiftly and deliberately to rectify the situation," Smokler said.
But as of Oct. 7, Smokler said some physicians still have not been notified by their contracted Blues plans.
He said the association told the 39 member Blues plans about the theft within a week after it happened, but "because of the way we're set up," there was a further delay before many individual plans notified their network doctors.
The American Medical Association on Oct. 6 asked the BlueCross BlueShield Assn. to meet regarding the data breach.