We often forget that state AG’s have jurisdiction under the HIPAA Omnibus Rule to levy fines and penalties against HIPAA covered entities for violations. This is because the Office for Civil Rights has traditionally taken the primary role in enforcing HIPAA. But Horizon Blue Cross Blue Shield of New Jersey (Horizon) was reminded of the AG’s ability to enforce HIPAA when it recently agreed to pay a $1.1 million fine to the New Jersey Division of Consumer Affairs for an incident that occurred in November of 2013  involving the theft of two unencrypted laptops from its offices.

Although the laptops were secured to the desks with security cables and were password protected, they were not encrypted. The information contained on the laptops included the names, addresses, Social Security numbers, birth dates, insurance identifiers, and some clinical data.

The Division found during its investigation that Horizon had over 100 unencrypted laptops. Because the laptops were not purchased pursuant to Horizon’s procurement process, the IT Department did not know they had not been encrypted.

This settlement sends two messages: 1) Don’t forget that State AGs can enforce HIPAA violations; and 2) It is important that the IT department issue mobile devices, including laptops and phones, so it can keep track of the devices, make sure they are encrypted and updated with security tools as necessary, and can remote wipe them in the event they are lost or stolen.