Blue Cross Blue Shield of Tennessee Pays $1.5m for Data Breach | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Blue Cross Blue Shield of Tennessee Pays $1.5m for Data Breach

March 15, 2012
by Gabriel Perna
| Reprints

Blue Cross Blue Shield of Tennessee (BCBST) will pay $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, according to Leon Rodriguez, director of the HHS Office for Civil Rights (OCR).  

In addition, BCBST will add a corrective action plan to address gaps in its HIPAA compliance program.  This counts as the first response resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.

According to HHS, 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee that BSBST was operating.  The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. According to the OCR investigation, BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. It also showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” OCR Director Leon Rodriguez said in a statement. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.

Topics

News

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.

HHS Announces Winning Solutions in Opioid Code-a-Thon

The U.S. Department of Health and Human Services (HHS) hosted this week a first-of-its-kind two-day Code-a-Thon to use data and technology to develop new solutions to address the opioid epidemic.

In GAO Report, More Concern over VA VistA Modernization Project

A recent Government Accountability Office (GAO) report is calling into question the more than $1 billion that has been spent to modernize the Department of Veterans Affairs' (VA) health IT system.

Lawmakers Introduce Legislation Aimed at Improving Medicare ACO Program

U.S. Representatives Peter Welch (D-VT) and Rep. Diane Black (R-TN) have introduced H.R. 4580, the ACO Improvement Act of 2017 that makes changes to the Medicare accountable care organization (ACO) program.

Humana Develops Medication Management Tool

A new tool developed by Humana enables the company’s members to keep a list of their medications in one place.

Four Hospitals Piloting OurNotes Initiative in 2018

Beginning in January, four academic hospitals—Beth Israel Deaconess Medical Center in Boston, University of Washington in Seattle, Dartmouth-Hitchcock Medical Center in Lebanon, New Hampshire and University of Colorado in Boulder—will begin piloting a new digital tool called OurNotes that enables patients to contribute to their clinical notes.