A health insurer agreed to pay $1.5 million and adopt a detailed corrective action plan to resolve HIPAA security allegations stemming from a 2009 data breach. This is the first HIPAA enforcement action to result from the breach reports now required by the HITECH Act.
Like many data breaches that have been making the news in health care and other areas, the incident suffered by BlueCross BlueShield of Tennessee (BCBST) involved the theft of hardware that happened to contain sensitive information on a large number of individuals.
However, the circumstances of this breach, as alleged by the U.S. Department of Health and Human Services (HHS), did not involve a mobile device lost by a careless or ill-trained employee in a remote location. Instead, 57 hard drives were allegedly stolen from a locked network data closet, after being temporarily left behind in a building BCBST staff had already vacated as part of an office move.
The hard drives contained more than 1 million audio and 300,000 video recordings of customer service calls, according to the allegations summarized in the “resolution agreement” between BCBST and HHS’ Office for Civil Rights (OCR). BCBST’s own internal investigation found that these included protected health information (PHI) on more than 1 million individuals.
HIPAA penalties and monetary settlements previously imposed by OCR had resulted from privacy or security complaints from affected individuals. The agency’s investigation of BCBST, however, was triggered by information the insurer itself provided OCR to comply with the HITECH rule, which took effect in September 2009. The incident occurred that October.
“The HITECH breach notification rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information,” OCR Director Leon Rodriguez said March 13 in announcing the settlement. The agency alleged that BCBST had not met HIPAA’s security requirements for re-evaluating security in response to operational changes or controlling physical access to facilities.
Since the theft, BCBST has “worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times,” said Tena Roberson, BCBST’s deputy general counsel and chief privacy officer. There is no evidence to date that any of the PHI has been misused, BCBST added.
HIPAA privacy and security enforcement and breach notification are detailed in the Employer’s Guide to HIPAA and Employer’s Guide to HIPAA Privacy Requirements.