Data Theft Costs Tennessee Blue Cross Big Bucks

  /     /     /  
Publicated : 22/11/2024   Category : security


Data Theft Costs Tennessee Blue Cross Big Bucks


Blue Cross Blue Shield of Tennessee agrees to pay $1.5 million to settle case involving theft of 57 unencrypted hard drives that contained protected health information.



Health Data Security: Tips And Tools (click image for larger view and for slideshow)
Blue Cross Blue Shield of Tennessee (BCBST) will have to fork over $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information (PHI) of over 1 million individuals. The hard drives were stolen from a leased facility in Tennessee.
According to a
Blue Cross Blue Shield statement
released Tuesday, the settlement covers the 2009 theft of the hard drives from a data storage closet at a former BlueCross call center located in Chattanooga. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included personal information such as member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. To date, there is no indication of any misuse of personal data from the stolen hard drives.
Since the theft was uncovered in late 2009, the company has spent nearly $17 million in investigation, notification and protection efforts. Part of BCBSTs PHI protections efforts has since included the encryption of its at-rest data.
[ How to protect PHI? Read
5 Steps To Assess Health Data Breach Risks
. ]
Now as part of its
agreement with HHS
the company will undergo a 450-day corrective action plan that requires BCBST to review, revise, and maintain its privacy and security policies and procedures; to conduct regular and thorough trainings for all BCBST employees covering employee responsibilities under the Health Insurance Portability and Accountability Act (HIPAA); and to regularly review BCBSTs compliance with the corrective action plan.
Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times, Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement. We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process.
According to Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments at hospitals and other medical facilities, healthcare organizations can learn a lot from the corrective action plan outlined in the agreement.
The monetary penalty may grab headlines but its the corrective action plan that provides the most insight, Berger told
InformationWeek Healthcare
. Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan.
HHS Office of Civil Rights (OCR) investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. The investigation also revealed a failure to implement appropriate physical safeguards by not having adequate facility access controls.
Both of these safeguards are required by HIPAAs privacy and security rules.
According to officials at HHS, the enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule, which Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), described as an important enforcement tool.
The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information--a breach--of 500 individuals or more to HHS and the media.
In a
statement
Rodriguez also said, This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program.
Rick Kam, president and co-founder of ID Experts, said he is expecting more PHI breaches to surface.
I suspect there will be many other enforcement actions in the news as OCR finds other entities that have had similar lapses in security out of the thousands of complaints OCR looks into each year, Kam told
InformationWeek Healthcare.
Healthcare providers must collect all sorts of performance data to meet emerging standards. The new
Pay For Performance
issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Data Theft Costs Tennessee Blue Cross Big Bucks