Data Theft Costs Tennessee Blue Cross Big BucksBlue Cross Blue Shield of Tennessee agrees to pay $1.5 million to settle case involving theft of 57 unencrypted hard drives that contained protected health information.
Health Data Security: Tips And Tools (click image for larger view and for slideshow)
Blue Cross Blue Shield of Tennessee (BCBST) will have to fork over $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information (PHI) of over 1 million individuals. The hard drives were stolen from a leased facility in Tennessee.
According to a Blue Cross Blue Shield statement released Tuesday, the settlement covers the 2009 theft of the hard drives from a data storage closet at a former BlueCross call center located in Chattanooga. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included personal information such as member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. To date, there is no indication of any misuse of personal data from the stolen hard drives.
Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts. Part of BCBST's PHI protections efforts has since included the encryption of its at-rest data.
[ How to protect PHI? Read 5 Steps To Assess Health Data Breach Risks. ]
Now as part of its agreement with HHS the company will undergo a 450-day corrective action plan that requires BCBST to review, revise, and maintain its privacy and security policies and procedures; to conduct regular and thorough trainings for all BCBST employees covering employee responsibilities under the Health Insurance Portability and Accountability Act (HIPAA); and to regularly review BCBST's compliance with the corrective action plan.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement. "We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process."
According to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, healthcare organizations can learn a lot from the corrective action plan outlined in the agreement.
"The monetary penalty may grab headlines but it's the corrective action plan that provides the most insight," Berger told InformationWeek Healthcare. "Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan."
HHS' Office of Civil Rights (OCR) investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. The investigation also revealed a failure to implement appropriate physical safeguards by not having adequate facility access controls.
Both of these safeguards are required by HIPAA's privacy and security rules.
According to officials at HHS, the enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule, which Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), described as "an important enforcement tool."
The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information--a "breach"--of 500 individuals or more to HHS and the media.
In a statement Rodriguez also said, "This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program."
Rick Kam, president and co-founder of ID Experts, said he is expecting more PHI breaches to surface.
"I suspect there will be many other enforcement actions in the news as OCR finds other entities that have had similar lapses in security out of the thousands of complaints OCR looks into each year," Kam told InformationWeek Healthcare.
Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)