BCBS of Tenn. Gets $1.5 Million PenaltyInsurer Agrees to Settlement in Breach Case
BlueCross BlueShield of Tennessee has agreed to pay a $1.5 million settlement and carry out a corrective action plan in the wake of a 2009 breach that affected more than 1 million individuals.
The Department of Health and Human Services' Office for Civil Rights portrays the settlement as the first enforcement action stemming directly from the HIPAA breach notification rule, established as a result of the HITECH Act.
In addition to the $1.5 million payment, the settlement calls for the health insurer to review, revise and maintain its privacy and security policies and procedures; conduct "regular and robust" training for all employees on their responsibilities under the HIPAA privacy and security rules; and perform reviews to ensure compliance with the corrective action plan, according to an HHS announcement.
"This settlement sends an important message that OCR expects health plans and healthcare providers to have in place a carefully designed, delivered and monitored HIPAA compliance program," says Leon Rodriguez, director of the HHS Office for Civil Rights. "The HITECH breach notification rule is an important enforcement tool, and OCR will continue to vigorously protect patients' right to private and secure health information."
The incident affecting BlueCross BlueShield of Tennessee enrollees was among the first of the major breaches to grab headlines following the September 2009 effective date of the breach notification rule. The incident, which occurred Oct. 2, 2009, involved the theft of 57 unencrypted computer hard drives from a leased call-center facility that had recently closed. The drives included member names, Social Security numbers, diagnoses codes, dates of birth and health plan identification numbers.
OCR's investigation determined the health plan "failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes," according to the HHS announcement. "In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls." The security evaluation and physical safeguards are both required under the HIPAA security rule, HHS notes.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for the health insurer, said in a statement posted on the company's website.
In total, the company has spent nearly $17 million in investigation, notification and protection efforts, the statement notes.
In a 2011 interview, executives at the insurance company described how it encrypted all stored data in the aftermath of the breach (see: BCBS of Tenn. Encrypts All Stored Data).
The resolution agreement can be found on the OCR website.