850,000 physicians urged to be on lookout for signs of identity theft

A file containing unencrypted identifying information for every physician in the country who contracts with a BlueCross BlueShield-affiliated insurance plan was on a laptop computer stolen from an employee of the national association in Chicago.

The employee-owned computer was taken from a car Aug. 27, yet notification of doctors didn't start until October. The BlueCross BlueShield Assn. told its affiliated plans a week after the theft. But "because of the way we're set up," said Blues spokesman Jeff Smokler, the 39 member plans did not start telling the affected 850,000 doctors until more than a month later

As of mid-October, some physicians still had not received letters about the data breach, Smokler said. Doctors who weren't among the estimated 187,000 whose Social Security numbers were included in the data might not be informed at all.

Unlike with patient data, there are no state and federal laws that require physicians to be told in a specified number of days of a data breach involving their personal information.

"I think they should have notified [doctors] sooner," said Mario Motta, MD, a cardiologist from Salem, Mass., and president of the Massachusetts Medical Society. Dr. Motta said that if any fraud or identity theft is shown to stem from the laptop theft, the Blues association should take responsibility and "make things whole."

The BlueCross BlueShield Assn. is giving free credit monitoring services to those doctors whose Social Security numbers were stolen. The association said other doctors, upon request to their home-state plans, will receive credit monitoring as well. (See Clarification)

The American Medical Association, which met with BlueCross BlueShield on Oct. 7 about the theft, said in a statement that it recommends physicians take the Blues up on its offer for monitoring services, even though it appears identity thieves weren't behind the laptop theft. Multiple cars in the area were reportedly vandalized at the time.

"We are working with BCBSA to recommend steps that it can take to help mitigate the risk of identify theft resulting from this data breach," said AMA President J. James Rohack, MD.

John White, a data security expert based in Chico, Calif., who specializes in health information, said doctors should continue with credit monitoring after the first year, just in case the stolen laptop does fall into the hands of someone wanting to steal physician data. "If I'm the bad guy and I've got that information, I'll just wait a year and after that start to work it."

What's at risk

An unencrpyted file in the laptop included the name, address, tax identification number and national provider identifier for about 850,000 doctors, Smokler said. That's every physician who is part of the BlueCard network. Some 16% to 22% of the doctors on that list used their Social Security numbers as an NPI or tax ID number, Smokler said.

Drug Enforcement Administration numbers, used for prescribing controlled substances, were not included. And there was no indication that the thief knew what was stored on the computer, Smokler said.

The association updates its file of BlueCard network physicians weekly. An unidentified employee downloaded the file onto his personal computer to work on it at home, a practice that is against company policy, Smokler said.

"It was a mistake, an unfortunate mistake, but the association and plans involved have moved swiftly and deliberately to rectify the situation," he said. "We are re-evaluating that protocol and how we prevent this from happening again."

Some Blues plans -- including WellPoint, which operates 14 Blue Cross Blue Shield-affiliated plans, and Highmark, based in Pittsburgh -- were notifying only physicians whose Social Security numbers were included in the file. For WellPoint, that meant sending about 64,000 letters, spokeswoman Cheryl Leamon said.

Kristen Mathews, a New York attorney who is head of the privacy and data security practice group for the law firm Proskauer Rose, said there is no federal statute that would mandate a particular response by the Blues. Forty-five states have data breach laws, which vary in terms of notification requirements. Most basically require an entity that compromises personal information to tell the people affected within a "reasonable" time period, she said.

Because no health information was contained in the laptop, HIPAA privacy breach disclosure rules that recently took effect -- requiring notification of a breach within a certain number of days -- would not apply, she said.

Protecting your identity

Although there's nothing physicians could have done to prevent this particular incident, experts and physician advocates said the theft is a reminder that physicians need to take steps to protect against data breaches.

Those steps include taking advantage of free credit monitoring and continuing that service after a year is up, and making sure you have unique NPI and tax ID numbers that are not your Social Security number.

Data security expert White noted that someone can do a lot of damage with just a name and address, not to mention an NPI. While credit monitoring could help catch identity theft using a person's Social Security number, there is no easy way to know whether your NPI has been misused, he said.

"If you start seeing stuff that comes back that doesn't make any sense, or comes from a patient that you don't know, it may be a warning sign that someone is using your information and billing Medicare," he said.

"I would not let anything like that go unnoticed."