More than two years after the incident occurred, Blue Cross Blue Shield of Tennessee has settled a HIPAA violation claim with the U.S. Department of Health and Human Services and the Office of Civil Rights. The security breach cost BCBST $1.5 million.
Details of the case and the agreement, reached March 13, were posted on the HHS website and can be found by clicking here.
The case dates back to Oct. 5, 2009, when BCBST employes found out that computer equipment had been stolen three days earlier from a “network data closet” in the company’s Chattanooga office. The theft included 57 hard drives with encoded electronic data pertaining to more than 300,000 video recordings and a million audio recordings.
Also stored on the disks were protected health information of over a million members such as diagnosis codes dates of birth and Social Security numbers.
The data had been left in the storage closet after a BCBST move earlier in the year. Security had been turned over to a property management company. It was secured via biometric and keycard scanners with a magnetic lock, plus an additional door with a keyed lock.
BCBST agreed to pay the fine, although the company does not admit liability in the agreement. The company did, however, agree to a corrective action plan.
On the website Legal Health information eXchange, attorney Helen Helen Oscislawski wrote a post on Monday (Peeling Back BCBS’s $1.5 Million HIPAA Settlement Onion) in which she said she found the agreement “instructive and frightening.” BCBST reported the security breach within the necessary legal time frame, she said, and the precautions taken could have, arguably, been enough to show that they were in compliance.
She noted that the breach was the result of a criminal act.
“However, at least for [BCBST], apparently the costs and burden of going through an investigation to prove that the Breach was not due to an underlying lapse its HIPAA compliance program was not worth it, at least not $1.5 Million,” she said.
It seemed as if HHS was more concerned about BCBST’s overall HIPAA compliance program than it was about the security breach itself, she added.
She suggests that covered entities review any contracts they may have with third parties that have access to protected health information and provide “clear language regarding allocation of responsibility for security ….”
- John Nelander, Contributing Editor