On Monday, Connecticut Attorney General Richard Blumenthal (D) said he is investigating whether the BlueCross BlueShield Association violated state law by waiting nearly two months to inform affected individuals about a data security breach, the Hartford Courant reports.
Connecticut state law requires organizations that experience data breaches to inform affected individuals with "reasonable" speed. The law does not specify a time frame for disclosure (Gosselin, Hartford Courant, 11/10).
Breach Details
A laptop stolen in Chicago in August contained information on about 850,000 BCBS-affiliated physicians nationwide, including about 18,800 Connecticut health care providers. The association did not inform affected individuals until October, Blumenthal said.
The compromised data included addresses, names and official identification numbers (Baruzzi, New Haven Register, 11/10).
BCBS spokesperson Jeff Smokler said about 18% of the entries contained Social Security numbers (Blesch, Modern Healthcare, 11/9).
The stolen laptop did not include any patient information (Miller, Danbury News-Times, 11/9).
Credit Monitoring
Blumenthal also criticized BCBS for offering affected physicians only one year of identity theft protection.
On Monday, BCBS said they would extend credit monitoring services for two years (Dixon, Connecticut Post, 11/9).