A file containing unencrypted identifying information for every physician in the country who contracts with a BlueCross BlueShield-affiliated insurance plan was on a laptop computer stolen from an employeeâ€™s car Aug. 27. The file contained names, addresses, tax identification numbers and national provider identifier (NPI) numbers for about 850,000 physicians, said Jeff Smokler, spokesman for the Chicago-based Blues assn. BCBS notified its affiliates about the possible breach a week after the theft occurred, and put them in charge of notifying network physicians. It took the 39 member plans over a month to start notifying physicians of the incident. As of mid-October, some physicians still had not received letters about the data breach, Smokler said. Doctors who weren't among the estimated 187,000 whose Social Security numbers were included in the data might not be informed at all. Some Blues plans -- including WellPoint, which operates 14 Blue Cross Blue Shield-affiliated plans, and Highmark, based in Pittsburgh -- were notifying only physicians whose Social Security numbers were included in the file. Unlike with patient data, there are no state and federal laws that require physicians to be told in a specified number of days of a data breach involving their personal information.
The new HIPAA privacy breach notification regulation enacted in August does not apply here because personal health information (PHI) was not contained in the file. Although there's nothing physicians could have done to prevent this particular incident, experts and physician advocates said the theft is a reminder that physicians need to take steps to protect against data breaches. Those steps include taking advantage of free credit monitoring and continuing that service after a year is up, and making sure you have unique NPI and tax ID numbers that are not your Social Security number.