Horizon Blue Cross Blue Shield of New Jersey disclosed Friday that two laptop computers were stolen from its Newark headquarters during the first weekend in November — and that 839,711 members are being notified.
"Nothing leads us to believe that the computers were stolen for the information they contained or that any member information has been used inappropriately," said Tom Rubino, director of public affairs.
Horizon said a review by outside computer forensic experts confirmed the laptops may have contained files with differing amounts of member information, including name and demographic information (address, member identification number, date of birth), and in some instances, a Social Security number and/or limited clinical information.
Those members whose Social Security numbers are involved are being offered free credit monitoring and identity theft protection, the company said.
Horizon said it notified the Newark Police Department on Nov. 4 and began a thorough internal investigation upon discovering that the laptops were missing.
"After discovering the theft, we acted quickly to engage law enforcement and notify and protect all members who may have been affected," Rubino said.
Horizon said it continues to work with law enforcement to locate the laptops.
To prevent a similar incident from happening in the future, the company said it is "strengthening encryption processes and enhancing its policies, procedures and staff education regarding the security of company property and member information."
Horizon said the two laptops were password-protected, unencrypted laptop computers that were cable-locked to employee workstations.
Asked why Horizon is disclosing the theft now, a month after it occurred, spokesman Tom Vincz said, "our security team began investigating what information may have been on the laptops immediately upon finding out they were stolen. Horizon engaged outside forensic computer experts to assist in determining what information may be on the laptops. This was not an easy process, and the work was just completed this week."
"We are notifying our members as soon as possible. Our top priority right now is to notify our members who have been affected and help them to protect themselves," Vincz said.
Darryl S. Neier, partner in charge of the forensic accounting/ litigation support group at Sobel & Co., did not find it unusual that Horizon is notifying members a month after the laptop thefts.
Neier said under the state's Identity Theft Protection Act, companies must notify law enforcement immediately of a security breach, but may be required to hold off alerting consumers to avoid compromising an investigation.
He said the Horizon members should take the company up on its offer of free credit monitoring and identity theft protection. When personal identity information is stolen, "that information may not be used immediately; it may be used a year later or six months later if it's going to be used at all."
He said the affected Horizon members might also consider putting a security freeze on their credit report, which prevents anyone from obtaining credit in their name.
And he advises all consumers to routinely monitor their credit reports.
"Every six months you should pull your credit report to see if there is anything there you don't recognize and make sure there is nothing adverse," he said.