Tennessee insurer to pay $1.5 million for breach-related violations
BlueCross BlueShield agrees to pay HHS for HIPAA violations tied to 2009 breach that exposed data on 1 million members
Computerworld - A 2009 data breach that has already cost BlueCross BlueShield of Tennessee nearly $17 million got a little more expensive Tuesday.
The insurer today agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle Health Insurance Portability and Accountability Act (HIPAA) violations related to the breach.
Under the settlement, BlueCross BlueShield has also agreed to review and revise its privacy and security policies and to regularly train employees on their responsibilities under the HIPAA of 1996.
The settlement is the first resulting from enforcement action taken by the HHS under Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements.
The notification rules require all HIPAA-covered entities to notify affected individuals of any breach involving their health information. It also requires them to notify the HHS and the media in cases where the breach affects more than 500 people.
Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) said the settlement underscores the department's intent to vigorously enforce HIPAA's security and privacy rules.
"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," Rodriguez said in a statement.
Today's settlement stems from an October 2009 data breach in which an unidentified intruder broke into a Blue Cross training center in Chattanooga and stole 57 hard drives storing unencrypted information on about 1 million BlueCross members.
The compromised data included about 600,000 audio recordings of customer support calls and over 300,000 screen shots showing what BlueCross call center staff had on their computer screens when they were handling the calls.
According to BlueCross, the drives contained varying degrees of personal information on its members, though there is little indication that any of it has been misused to date.
Since the theft, BlueCross has made "significant investments" to bolster the security of patient data, said Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, in a statement today.
The insurer has also agreed to encrypt all at-rest data, she added.
Roberson described the encryption initiative as an effort that "goes above and beyond current industry standards."
Under the settlement, BlueCross will provide HHS with all of its current written security polices and procedures and will monitor its workforce to ensure that HIPAA requirements are met, Roberson said.
So far, the investigation, notification and mitigation efforts tied to the breach have cost BlueCross close to $17 million, according to Roberson.
The early costs were mostly from attempts to determine exactly what data had been compromised. Soon after the breach, 500 full-time employees from Blue Cross and data recovery specialist Kroll OnTrack reviewed and recompiled the lost data.
In addition, 300 more BlueCross employees worked part-time on the same effort, the company had noted in a letter sent to the Maryland attorney general's office soon after the breach.
Today's settlement is the latest in a small but growing number of HIPAA enforcement actions taken by the HHS over the past year or so.
Last February, the agency imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for HIPAA violations, and agreed to a $1 million settlement Massachusetts General Hospital for similar violations.
In July 2011, the University of California at Los Angeles agreed to pay an $865,000 fine and commit to a multi-year program to remedy HIPAA rules violated when hospital staff snooped on the medical records of two celebrity patients.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts