March 15, 2012, 7:51 AM — A 2009 data breach that has already cost BlueCross BlueShield of Tennessee nearly $17 million got a little more expensive Tuesday.
The insurer today agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) to settle Health Insurance Portability and Accountability Act (HIPAA) violations related to the breach.
Under the settlement, BlueCross BlueShield has also agreed to review and revise its privacy and security policies and to regularly train employees on their responsibilities under the HIPAA of 1996.
The settlement is the first resulting from enforcement action taken by the HHS under Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements.
The notification rules require all HIPAA-covered entities to notify affected individuals of any breach involving their health information. It also requires them to notify the HHS and the media in cases where the breach affects more than 500 people.
Leon Rodriguez, director of the HHS Office for Civil Rights (OCR) said the settlement underscores the department's intent to vigorously enforce HIPAA's security and privacy rules.
"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," Rodriguez said in a statement.
Today's settlement stems from an October 2009 data breach in which an unidentified intruder broke into a Blue Cross training center in Chattanooga and stole 57 hard drives storing unencrypted information on about 1 million BlueCross members.
The compromised data included about 600,000 audio recordings of customer support calls and over 300,000 screen shots showing what BlueCross call center staff had on their computer screens when they were handling the calls.
According to BlueCross, the drives contained varying degrees of personal information on its members, though there is little indication that any of it has been misused to date.
Since the theft, BlueCross has made "significant investments" to bolster the security of patient data, said Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, in a statement today.
The insurer has also agreed to encrypt all at-rest data, she added.
Roberson described the encryption initiative as an effort that "goes above and beyond current industry standards."