The hard drives, which were stolen from a leased facility in Chattanooga, contained names, social security numbers, diagnosis codes, dates of birth, and health plan ID numbers of patients.
The investigation by the department’s Office of Civil Rights (OCR) found that Blue Cross Blue Shield of Tennessee “failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA [Health Insurance Portability and Accountability Act] Security Rule.”
In addition to the fine, HHS is requiring Blue Cross Blue Shield of Tennessee to review, revise, and maintain its privacy and security policies and procedures, to conduct regular information security training for all employees, and to perform monitoring reviews to ensure compliance with the 450-day corrective action plan contained in the settlement between the company and the government.
“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program. The HITECH [Health Information Technology for Economic and Clinical Health Act] Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information”, said OCR Director Leon Rodriguez.
Blue Cross Blue Shield of Tennessee said that since the theft it has implemented a policy of encrypting all its data at rest and has spent nearly $17 million in investigating the breach, notifying those affected, and improving information security protection.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times. We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process”, said Tena Roberson, deputy general counsel and chief privacy officer for Blue Cross.