Risk
3/14/2012
03:43 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Theft Costs Tennessee Blue Cross Big Bucks

Blue Cross Blue Shield of Tennessee agrees to pay $1.5 million to settle case involving theft of 57 unencrypted hard drives that contained protected health information.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Blue Cross Blue Shield of Tennessee (BCBST) will have to fork over $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information (PHI) of over 1 million individuals. The hard drives were stolen from a leased facility in Tennessee.

According to a Blue Cross Blue Shield statement released Tuesday, the settlement covers the 2009 theft of the hard drives from a data storage closet at a former BlueCross call center located in Chattanooga. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included personal information such as member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. To date, there is no indication of any misuse of personal data from the stolen hard drives.

Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts. Part of BCBST's PHI protections efforts has since included the encryption of its at-rest data.

[ How to protect PHI? Read 5 Steps To Assess Health Data Breach Risks. ]

Now as part of its agreement with HHS the company will undergo a 450-day corrective action plan that requires BCBST to review, revise, and maintain its privacy and security policies and procedures; to conduct regular and thorough trainings for all BCBST employees covering employee responsibilities under the Health Insurance Portability and Accountability Act (HIPAA); and to regularly review BCBST's compliance with the corrective action plan.

"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement. "We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process."

According to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, healthcare organizations can learn a lot from the corrective action plan outlined in the agreement.

"The monetary penalty may grab headlines but it's the corrective action plan that provides the most insight," Berger told InformationWeek Healthcare. "Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan."

HHS' Office of Civil Rights (OCR) investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. The investigation also revealed a failure to implement appropriate physical safeguards by not having adequate facility access controls.

Both of these safeguards are required by HIPAA's privacy and security rules.

According to officials at HHS, the enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule, which Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), described as "an important enforcement tool."

The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information--a "breach"--of 500 individuals or more to HHS and the media.

In a statement Rodriguez also said, "This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program."

Rick Kam, president and co-founder of ID Experts, said he is expecting more PHI breaches to surface.

"I suspect there will be many other enforcement actions in the news as OCR finds other entities that have had similar lapses in security out of the thousands of complaints OCR looks into each year," Kam told InformationWeek Healthcare.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/15/2012 | 1:49:44 AM
re: Data Theft Costs Tennessee Blue Cross Big Bucks
"Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts." - Ouch. High price to pay for not encrypting data.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-4350
Published: 2014-09-19
Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file.

CVE-2014-4376
Published: 2014-09-19
IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments.

CVE-2014-4390
Published: 2014-09-19
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Best of the Web
Dark Reading Radio