Connecticut’s attorney general is investigating a data breach affecting providers for Anthem Blue Cross Blue Shield and a subsequent delay in reporting the matter he deemed “alarming and potentially illegal.”

Richard Blumenthal

Richard Blumenthal said he is investigating the loss of confidential information, including tax identification and some Social Security numbers, for all 18,817 individual health care providers doing business with Anthem.

The attorney general said he is also seeking additional identity theft protection for doctors, therapists and other professionals affected by the matter.

The information was lost when a laptop was stolen from an employee with the Blue Cross and Blue Shield Association Aug. 25, according to Blumenthal’s office, containing information on company providers nationwide. He added that Anthem and its affiliates may have violated Connecticut law by allowing the information to be lost and then failing to notify providers in a timely manner. His office said Anthem and Empire, an affiliate, failed to notify providers until late October.

“As appalling as the data loss, equally alarming and potentially illegal is the delay in disclosing it,” Blumenthal said in a statement. “Failing to promptly notify providers of the breach is inexcusable — and a possible violation of state law. Waiting two months left providers severely at risk — needlessly and irresponsibly exposing them to financial mayhem.”

The state attorney general added that Anthem’s offer of one year of identity theft protection for professionals impacted by the data breach was “inadequate and unacceptable.”

In a statement to IFAwebnews.com, Sarah Yeager, a spokeswoman for Anthem Blue Cross Blue Shield of Connecticut, said the insurer “takes very seriously its obligation to protect the personal information of members and providers.

“We understand the attorney general’s request for credit monitoring services beyond one year and we have communicated to [his] office our extension of the credit monitoring to two years,” Yeager said.

She noted that the company “acted with all due diligence in order to minimize unnecessary delay” in notifying providers between the time the laptop was stolen in Chicago from the vehicle of a BCBSA employee and its communication to providers in Connecticut.

Yeager said no medical information or protected health information was contained in the data, but for some providers, their Social Security number was listed in a tax identification number field in a data file. The Social Security number was not linked to specific providers, however, she added.

She said all indications from Chicago police are that the incident was “a random theft.”

Blumenthal said he is calling for a full accounting from Anthem on the data breach and he will fight for greater safeguards, including increased identity theft protection, as he has done in similar cases.

“For identity thieves, private personal data is as good as gold — and should be secured with equal vigor and vigilance,” he said. “Companies must closely protect Social Security numbers and other sensitive data.”