Risk
3/14/2012
03:43 PM
50%
50%

Data Theft Costs Tennessee Blue Cross Big Bucks

Blue Cross Blue Shield of Tennessee agrees to pay $1.5 million to settle case involving theft of 57 unencrypted hard drives that contained protected health information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Blue Cross Blue Shield of Tennessee (BCBST) will have to fork over $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information (PHI) of over 1 million individuals. The hard drives were stolen from a leased facility in Tennessee.

According to a Blue Cross Blue Shield statement released Tuesday, the settlement covers the 2009 theft of the hard drives from a data storage closet at a former BlueCross call center located in Chattanooga. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included personal information such as member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. To date, there is no indication of any misuse of personal data from the stolen hard drives.

Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts. Part of BCBST's PHI protections efforts has since included the encryption of its at-rest data.

[ How to protect PHI? Read 5 Steps To Assess Health Data Breach Risks. ]

Now as part of its agreement with HHS the company will undergo a 450-day corrective action plan that requires BCBST to review, revise, and maintain its privacy and security policies and procedures; to conduct regular and thorough trainings for all BCBST employees covering employee responsibilities under the Health Insurance Portability and Accountability Act (HIPAA); and to regularly review BCBST's compliance with the corrective action plan.

"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement. "We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process."

According to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, healthcare organizations can learn a lot from the corrective action plan outlined in the agreement.

"The monetary penalty may grab headlines but it's the corrective action plan that provides the most insight," Berger told InformationWeek Healthcare. "Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan."

HHS' Office of Civil Rights (OCR) investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. The investigation also revealed a failure to implement appropriate physical safeguards by not having adequate facility access controls.

Both of these safeguards are required by HIPAA's privacy and security rules.

According to officials at HHS, the enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule, which Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), described as "an important enforcement tool."

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information--a "breach"--of 500 individuals or more to HHS and the media.

In a statement Rodriguez also said, "This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program."

Rick Kam, president and co-founder of ID Experts, said he is expecting more PHI breaches to surface.

"I suspect there will be many other enforcement actions in the news as OCR finds other entities that have had similar lapses in security out of the thousands of complaints OCR looks into each year," Kam told InformationWeek Healthcare.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/15/2012 | 1:49:44 AM
re: Data Theft Costs Tennessee Blue Cross Big Bucks
"Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts." - Ouch. High price to pay for not encrypting data.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.