The first enforcement action involving the HITECH Act’s data breach notification rule has lead to a big settlement to be paid by an insurance company.
The settlement stems from a 2009 incident in which 57 hard drives owned by BlueCross BlueShield of Tennessee (BCBST) were stolen from a leased training center in Chattanooga. The drives were unencrypted and contained information about more than 1 million BlueCross members, including names, Social Security numbers, diagnosis codes and health plan identification numbers.
After BCBST notified the U.S. Department of Health and Human Services (HHS) about the breach, an investigation uncovered several potential HIPAA security violations. BCBST recently agreed to pay a $1.5 million settlement to cover the alleged violations.
HHS said the company failed to conduct a HIPAA-required security evaluation after undergoing operational changes. Also, investigators claimed BCBST did not have adequate access controls at the leased facility.
In addition to the financial penalty, the settlement requires BCBST to improve its IT security practices, including encrypting data, training employees about HIPAA requirements, and reviewing and revising security policies.