850,000 physicians urged to be on lookout for signs of identity theft

Individual BlueCross BlueShield plans are still notifying physicians who may be at risk after a laptop computer containing their identifying information was stolen.

By Emily Berry — Posted Oct. 19, 2009

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

A file containing unencrypted identifying information for every physician in the country who contracts with a BlueCross BlueShield-affiliated insurance plan was on a laptop computer stolen from an employee of the national association in Chicago.

The employee-owned computer was taken from a car Aug. 27, yet notification of doctors didn't start until October. The BlueCross BlueShield Assn. told its affiliated plans a week after the theft. But "because of the way we're set up," said Blues spokesman Jeff Smokler, the 39 member plans did not start telling the affected 850,000 doctors until more than a month later

As of mid-October, some physicians still had not received letters about the data breach, Smokler said. Doctors who weren't among the estimated 187,000 whose Social Security numbers were included in the data might not be informed at all.

Unlike with patient data, there are no state and federal laws that require physicians to be told in a specified number of days of a data breach involving their personal information.

"I think they should have notified [doctors] sooner," said Mario Motta, MD, a cardiologist from Salem, Mass., and president of the Massachusetts Medical Society. Dr. Motta said that if any fraud or identity theft is shown to stem from the laptop theft, the Blues association should take responsibility and "make things whole."

The BlueCross BlueShield Assn. is giving free credit monitoring services to those doctors whose Social Security numbers were stolen. The association said other doctors, upon request to their home-state plans, will receive credit monitoring as well. (See Clarification)

The American Medical Association, which met with BlueCross BlueShield on Oct. 7 about the theft, said in a statement that it recommends physicians take the Blues up on its offer for monitoring services, even though it appears identity thieves weren't behind the laptop theft. Multiple cars in the area were reportedly vandalized at the time.

"We are working with BCBSA to recommend steps that it can take to help mitigate the risk of identify theft resulting from this data breach," said AMA President J. James Rohack, MD.

John White, a data security expert based in Chico, Calif., who specializes in health information, said doctors should continue with credit monitoring after the first year, just in case the stolen laptop does fall into the hands of someone wanting to steal physician data. "If I'm the bad guy and I've got that information, I'll just wait a year and after that start to work it."

What's at risk

An unencrpyted file in the laptop included the name, address, tax identification number and national provider identifier for about 850,000 doctors, Smokler said. That's every physician who is part of the BlueCard network. Some 16% to 22% of the doctors on that list used their Social Security numbers as an NPI or tax ID number, Smokler said.

Drug Enforcement Administration numbers, used for prescribing controlled substances, were not included. And there was no indication that the thief knew what was stored on the computer, Smokler said.

The association updates its file of BlueCard network physicians weekly. An unidentified employee downloaded the file onto his personal computer to work on it at home, a practice that is against company policy, Smokler said.

"It was a mistake, an unfortunate mistake, but the association and plans involved have moved swiftly and deliberately to rectify the situation," he said. "We are re-evaluating that protocol and how we prevent this from happening again."

Some Blues plans -- including WellPoint, which operates 14 Blue Cross Blue Shield-affiliated plans, and Highmark, based in Pittsburgh -- were notifying only physicians whose Social Security numbers were included in the file. For WellPoint, that meant sending about 64,000 letters, spokeswoman Cheryl Leamon said.

Kristen Mathews, a New York attorney who is head of the privacy and data security practice group for the law firm Proskauer Rose, said there is no federal statute that would mandate a particular response by the Blues. Forty-five states have data breach laws, which vary in terms of notification requirements. Most basically require an entity that compromises personal information to tell the people affected within a "reasonable" time period, she said.

Because no health information was contained in the laptop, HIPAA privacy breach disclosure rules that recently took effect -- requiring notification of a breach within a certain number of days -- would not apply, she said.

Protecting your identity

Although there's nothing physicians could have done to prevent this particular incident, experts and physician advocates said the theft is a reminder that physicians need to take steps to protect against data breaches.

Those steps include taking advantage of free credit monitoring and continuing that service after a year is up, and making sure you have unique NPI and tax ID numbers that are not your Social Security number.

Data security expert White noted that someone can do a lot of damage with just a name and address, not to mention an NPI. While credit monitoring could help catch identity theft using a person's Social Security number, there is no easy way to know whether your NPI has been misused, he said.

"If you start seeing stuff that comes back that doesn't make any sense, or comes from a patient that you don't know, it may be a warning sign that someone is using your information and billing Medicare," he said.

"I would not let anything like that go unnoticed."

Back to top


What to do after a breach

The BlueCross BlueShield Assn. and security experts recommend that victims of a data breach involving the theft of a Blues employee's laptop take the following steps:

  • Contact your state BlueCross BlueShield-affiliated plan with questions or to request a free year of credit monitoring.
  • If your Social Security number is also your tax identification number or national provider identifier, you should file for a unique tax ID and/or NPI to limit the damage of any future identity theft.
  • After the free year of credit monitoring is up, pay for continued credit monitoring or do regular checks of your credit report yourself. You can check your report once a year for free through a source provided by the Federal Trade Commission.
  • Watch for unusual claims activity indicating that someone might be using your NPI fraudulently to file claims with Medicare or other insurers.

Sources: BlueCross BlueShield Assn.; John White, Protection Management LLC

Back to top

External links

Federal Trade Commission on getting a free annual credit report (link)

Back to top


BlueCross BlueShield Assn. provided incorrect information on how they will be handling credit monitoring for physicians impacted by stolen data. The association will provide a free year of credit monitoring only for those physicians listed in the file whose Social Security number is also their tax identification number or National Provider Identifier.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn