Risk
3/14/2012
03:43 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Theft Costs Tennessee Blue Cross Big Bucks

Blue Cross Blue Shield of Tennessee agrees to pay $1.5 million to settle case involving theft of 57 unencrypted hard drives that contained protected health information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Blue Cross Blue Shield of Tennessee (BCBST) will have to fork over $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information (PHI) of over 1 million individuals. The hard drives were stolen from a leased facility in Tennessee.

According to a Blue Cross Blue Shield statement released Tuesday, the settlement covers the 2009 theft of the hard drives from a data storage closet at a former BlueCross call center located in Chattanooga. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included personal information such as member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. To date, there is no indication of any misuse of personal data from the stolen hard drives.

Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts. Part of BCBST's PHI protections efforts has since included the encryption of its at-rest data.

[ How to protect PHI? Read 5 Steps To Assess Health Data Breach Risks. ]

Now as part of its agreement with HHS the company will undergo a 450-day corrective action plan that requires BCBST to review, revise, and maintain its privacy and security policies and procedures; to conduct regular and thorough trainings for all BCBST employees covering employee responsibilities under the Health Insurance Portability and Accountability Act (HIPAA); and to regularly review BCBST's compliance with the corrective action plan.

"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement. "We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process."

According to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, healthcare organizations can learn a lot from the corrective action plan outlined in the agreement.

"The monetary penalty may grab headlines but it's the corrective action plan that provides the most insight," Berger told InformationWeek Healthcare. "Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan."

HHS' Office of Civil Rights (OCR) investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. The investigation also revealed a failure to implement appropriate physical safeguards by not having adequate facility access controls.

Both of these safeguards are required by HIPAA's privacy and security rules.

According to officials at HHS, the enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule, which Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), described as "an important enforcement tool."

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information--a "breach"--of 500 individuals or more to HHS and the media.

In a statement Rodriguez also said, "This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program."

Rick Kam, president and co-founder of ID Experts, said he is expecting more PHI breaches to surface.

"I suspect there will be many other enforcement actions in the news as OCR finds other entities that have had similar lapses in security out of the thousands of complaints OCR looks into each year," Kam told InformationWeek Healthcare.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/15/2012 | 1:49:44 AM
re: Data Theft Costs Tennessee Blue Cross Big Bucks
"Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts." - Ouch. High price to pay for not encrypting data.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.