If you'll recall, BlueCross BlueShield announced a data breach last month, when an employee lost a laptop with the information of all doctors in their network (apparently, something like 90% of all doctors nationwide). While BCBS uses drive encryption software to secure data, it was in vain: the employee had downloaded the data to his personal laptop. Not only is an Attorney General (Connecticut) looking into whether BCBS broke any laws, now they've got the AMA opining as well--and, in their opinion, BCBS should offer 5 years' worth of credit protection. A policy adopted by American Medical Association House of Delegates, ...calls for the Blues association to offer at least five years of credit protection for all affected physicians, offer more than one company for protection, raise the amount of ID theft insurance and publicly report confirmed cases of identity theft. The national Blues plan also should provide affected physicians easy access to credit-monitoring reports without cost, and give legal protection and indemnification to doctors for any losses resulting from the breach. I can tell you right now that that last part is not happening. I may not be a lawyer, but I've learned enough to know that no company in the US goes about indemnifying stuff if they can help it. My guess is BCBS is going to, at least, fight that last provision tooth-and-nail.
If you'll recall, BlueCross BlueShield announced a data breach last month, when an employee lost a laptop with the information of all doctors in their network (apparently, something like 90% of all doctors nationwide). While BCBS uses drive encryption software to secure data, it was in vain: the employee had downloaded the data to his personal laptop.
Not only is an Attorney General (Connecticut) looking into whether BCBS broke any laws, now they've got the AMA opining as well--and, in their opinion, BCBS should offer 5 years' worth of credit protection.
A policy adopted by American Medical Association House of Delegates,
...calls for the Blues association to offer at least five years of credit protection for all affected physicians, offer more than one company for protection, raise the amount of ID theft insurance and publicly report confirmed cases of identity theft. The national Blues plan also should provide affected physicians easy access to credit-monitoring reports without cost, and give legal protection and indemnification to doctors for any losses resulting from the breach.
...calls for the Blues association to offer at least five years of credit protection for all affected physicians, offer more than one company for protection, raise the amount of ID theft insurance and publicly report confirmed cases of identity theft.
The national Blues plan also should provide affected physicians easy access to credit-monitoring reports without cost, and give legal protection and indemnification to doctors for any losses resulting from the breach.
I can tell you right now that that last part is not happening. I may not be a lawyer, but I've learned enough to know that no company in the US goes about indemnifying stuff if they can help it. My guess is BCBS is going to, at least, fight that last provision tooth-and-nail.
To date, we know that 850,000 doctors were affected. Of those, 136,000 to 187,000 physicians used their SSNs as their tax IDs or NPI numbers. BCBS is offering to pay for two years of credit protection for physicians at risk (the AMA seems to be implying that the offer should be five years for all 850,000 doctors, though). Assuming that BCBS can get rock-bottom prices of $5 per doctor, 2 years and 850,000 doctors: $8.5 million 5 years and 850,000 doctors: $21.25 million 2 years and 136,000 doctors: $1.36 million 5 years and 136,000 doctors: $3.4 million Of course, this is assuming that 100% of the physicians decide to sign up for credit monitoring. (And why wouldn't they? After all, it's not just the BCBS that goes around losing data. Credit monitoring means monitoring for all instances of weird financial shenanigans, right?) Remember, folks: data security is not just about using encryption software and calling it a day. There's more to it, like data monitoring, that requires constant vigilance.
To date, we know that 850,000 doctors were affected. Of those, 136,000 to 187,000 physicians used their SSNs as their tax IDs or NPI numbers. BCBS is offering to pay for two years of credit protection for physicians at risk (the AMA seems to be implying that the offer should be five years for all 850,000 doctors, though).
Assuming that BCBS can get rock-bottom prices of $5 per doctor,
Of course, this is assuming that 100% of the physicians decide to sign up for credit monitoring. (And why wouldn't they? After all, it's not just the BCBS that goes around losing data. Credit monitoring means monitoring for all instances of weird financial shenanigans, right?)
Remember, folks: data security is not just about using encryption software and calling it a day. There's more to it, like data monitoring, that requires constant vigilance.
Related Articles and Sites:http://www.ama-assn.org/amednews/2009/11/23/prsg1123.htm