AMA House of Delegates
AMA meeting: Better data protection needed from Blues
■ New AMA policy says the national insurer needs to expand its offer of credit protection for doctors whose information was on a stolen laptop.
By Damon Adams — Posted Nov. 23, 2009

- INTERIM MEETING 2009
- » Our coverage
- » Print special section
- » AMA official proceedings
- » Meeting notes: Other actions
- » Related content
Houston -- The BlueCross BlueShield Assn. should expand credit protection and increase identity theft insurance to physicians affected when a laptop computer containing doctors' personal information was stolen from an employee's car, according to policy adopted by the American Medical Association House of Delegates.
The new policy calls for the Blues association to offer at least five years of credit protection for all affected physicians, offer more than one company for protection, raise the amount of ID theft insurance and publicly report confirmed cases of identity theft.
The national Blues plan also should provide affected physicians easy access to credit-monitoring reports without cost, and give legal protection and indemnification to doctors for any losses resulting from the breach.
"It's really unconscionable that you could be so negligent in handling someone's data," said Michael Simon, MD, a Poughkeepsie, N.Y., anesthesiologist and alternate delegate for the American Society of Anesthesiologists, who spoke on his own behalf in committee testimony.
Dr. Simon and other delegates said the measures are necessary to protect physicians from thieves. "They can now set up a practice using your name and number on paper and send out bills," Dr. Simon said.
A file containing unencrypted, identifying information for every physician nationwide who contracts with a BlueCross BlueShield-affiliated insurance plan was on the stolen employee-owned computer.
The Blues association told affiliated plans one week after the Aug. 25 theft. But the 39 member plans did not start informing the affected 850,000 doctors until October. Connecticut Attorney General Richard Blumenthal is investigating the data breach and whether the delay in notifying physicians violated state law. In a statement Nov. 9, Blumenthal also said affected physicians should get at least two years of credit monitoring and protection.
The Blues said it would provide a free year of credit monitoring only for those doctors listed in the file whose Social Security number is also their National Provider Identifier or tax identification number.
Blues spokesman Jeff Smokler said the association is working with the AMA to address physicians' concerns. It has contacted the Centers for Medicare & Medicaid Services to ensure that the agency knows which physician IDs have been compromised in case fraudulent billing is suspected. After the laptop was reported stolen, he said, the delay in getting the word to doctors was a result of "the way we're set up."
"We regret that this unfortunate and rare occurrence took place, and we are working to rectify the situation as swiftly and responsibly as possible," Smokler said. "We take very seriously our commitment to our provider partners and are committed to working with the AMA to protect physicians' information and to prevent such a security breach from happening again."
The new AMA policy also says insurers should store personal information about physicians and other health care professionals electronically only in encrypted form to reduce the chance of a data security breach. If a breach occurs, insurers should notify physicians immediately.
The AMA will study the problems of such breaches and report back at its Annual Meeting in June 2010.