BCBS of Tennessee To Pay $1.5M Over 2009 Health Data Breach


On Tuesday, HHS' Office for Civil Rights announced that Blue Cross Blue Shield of Tennessee has agreed to pay $1.5 million to federal regulators and follow a corrective action plan as a result of a health data breach that occurred in October 2009, Health Data Management reports (Goedert, Health Data Management, 3/13).

The enforcement action is the first stemming from the HITECH Act's breach notification rule. The breach notification rule requires certain organizations to report health data breaches that affect more than 500 individuals.

Background on Data Breach

The breach occurred when 57 BCBST hard drives were stolen from a leased facility in Tennessee. The hard drives contained unencrypted personal data on more than one million people, including their:

  • Names,
  • Social Security numbers,
  • Dates of birth;
  • Diagnosis codes; and
  • Health plan identification numbers (Cadet, CMIO, 3/13).

According to BCBST, the data consisted of audio and video recordings of customer service calls. The insurer said there has been no indication that the data were misused.

OCR Investigation

After BCBST reported the breach to federal regulators, OCR conducted an investigation of the incident.

OCR found that BCBST had violated HIPAA regulations because it did not perform a required security evaluation following operational changes and did not have appropriate access controls at the leased facility (Carlson, Modern Healthcare, 3/13).

Corrective Action Plan Details

In addition to the $1.5 million settlement, the corrective action plan requires BCBST to:

  • Evaluate and revise its current security and privacy policies;
  • Conduct "regular and robust" employee training on HIPAA; and
  • Perform regular reviews to ensure compliance with the corrective plan (CMIO, 3/13).

BCBST Comments

Tena Roberson -- deputy general counsel and chief privacy officer for BCBST -- said, "Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times."

Roberson added, "We appreciate working with HHS, the Office of Civil Rights and CMS and specifically their guidance on administrative, physical and technical standards throughout this process" (Nicastro, HealthLeaders Media, 3/14).

to share your thoughts on this article.