I first posted this on October 3rd, and the one security expert here makes a darn good point, will a potential “bad guy” just wait out the year before going into action? This also makes a statement for trusting the company use and overall policies for our health data, as the algorithms for profit take priority. BD
According to this article, all it took was for one employee not to follow procedure with encryption and we have a potential mess, this one with physician information and not patient data though. Talk about a bit of an inconvenience, physicians having to apply for a new tax ID, this has to just sit real well with physicians – NOT. This also makes a case for a good reason to get away from using a social security number as your ID as well.
A file containing unencrypted identifying information for every physician in the country who contracts with a BlueCross BlueShield-affiliated insurance plan was on a laptop computer stolen from an employee of the national association in Chicago.
The employee-owned computer was taken from a car Aug. 27, yet notification of doctors didn't start until October. The BlueCross BlueShield Assn. told its affiliated plans a week after the theft. But "because of the way we're set up," said Blues spokesman Jeff Smokler, the 39 member plans did not start telling the affected 850,000 doctors until more than a month later.
John White, a data security expert based in Chico, Calif., who specializes in health information, said doctors should continue with credit monitoring after the first year, just in case the stolen laptop does fall into the hands of someone wanting to steal physician data. "If I'm the bad guy and I've got that information, I'll just wait a year and after that start to work it."