Related Stories

  • More than 7.8 million people were victims of healthcare data breaches, says HHS
    More than 7.8 million people had their healthcare information compromised in 252 major data breaches during a 15-month period in 2009 and 2010, according to a recent report to Congress by the Department of Health and Human Services (HHS).
  • HHS to give patients right to see who has accessed their records
    The Department of Health and Human Services (HHS) has proposed that the Health Insurance Portability and Accountability (HIPAA) privacy rule be amended to allow a patient to receive a report on individuals and organizations that have accessed his or her electronic medical records.
  • Auditors to HHS: 'Physician, heal thyself'
    The Department of Health and Human Services (HHS), which has been doling out millions in fines for failing to protect the privacy of patient information, has been found wanting in that area by the department’s Office of the Inspector General (OIG).
  • Mass General takes $1 million hit for losing 193 patient records
    Following closely on the heels of its first Health Insurance Portability and Accountability Act (HIPAA) privacy rule fine, the Department of Health and Human Services (HHS) has doled out a $1 million fine against Massachusetts General Hospital for a data breach involving 192 patients begin treated for infectious diseases.
  • HHS levies first fines under HIPAA privacy rule
    The Department of Health and Human Services (HHS) has issued its first fines under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule to Maryland-based Cignet Health Care for denying 41 patients access to their medical records and obstructing the department's probe.

Top 5 Stories


HHS fines Blue Cross of Tennessee for theft of 57 hard drives

14 March 2012

The US Department of Health and Human Services (HHS) is fining Blue Cross Blue Shield of Tennessee $1.5 million related to the 2009 theft of 57 unencrypted computer hard drives containing protected health information on over one million patients.

The hard drives, which were stolen from a leased facility in Chattanooga, contained names, social security numbers, diagnosis codes, dates of birth, and health plan ID numbers of patients.

The investigation by the department’s Office of Civil Rights (OCR) found that Blue Cross Blue Shield of Tennessee “failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA  [Health Insurance Portability and Accountability Act] Security Rule.”

In addition to the fine, HHS is requiring Blue Cross Blue Shield of Tennessee to review, revise, and maintain its privacy and security policies and procedures, to conduct regular information security training for all employees, and to perform monitoring reviews to ensure compliance with the 450-day corrective action plan contained in the settlement between the company and the government.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program. The HITECH [Health Information Technology for Economic and Clinical Health Act] Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information”, said OCR Director Leon Rodriguez.

Blue Cross Blue Shield of Tennessee said that since the theft it has implemented a policy of encrypting all its data at rest and has spent nearly $17 million in investigating the breach, notifying those affected, and improving information security protection.

"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times. We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process”, said Tena Roberson, deputy general counsel and chief privacy officer for Blue Cross.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Encryption


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×