Blue Cross spends $18.5M on HIPAA violation

Blue Cross Blue Shield of Tennessee has the dubious distinction of becoming the first health insurer to receive a fine--a hefty $1.5 million--for violating the Health Insurance Privacy and Accountability Act (HIPAA) privacy and security rules.

Other insurers should take note because the penalty signals how the U.S. Department of Health & Human Services is ramping up its HIPAA privacy and security enforcement, according to an article in Computerworld. "This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," Leon Rodriguez, director of the HHS Office for Civil Rights, said in a statement.

The fine, which is just part of a settlement with HHS announced Tuesday, is the result of a 2009 data breach in which a thief stole 57 hard drives containing about one million of Blue Cross members' unencrypted information, including names, Social Security numbers, diagnosis codes, dates of birth and health plan identification numbers, according to an article in CMIO.

HHS conducted an investigation into the theft, concluding that Blue Cross didn't implement appropriate physical and administrative safeguards to protect member information. Specifically, the insurer failed to perform a HIPAA-required security evaluation in response to operational changes and failed to ensure adequate facility access controls were in place, the Nashville Business Journal reported.

Blue Cross also agreed to a corrective action plan requiring it to review and revise HIPAA privacy and security policies, regularly provide HIPAA training for employees and conduct monitor reviews to ensure compliance with the corrective action plan, CMIO noted.

As a result of the breach, Blue Cross already has spent nearly $17 million on investigation, notification and mitigation steps. A portion of that amount--$6 million--went toward data encryption.

"The main push is for the peace of mind of our members," Blue Cross spokeswoman Mary Danielson said, according to the Chattanooga Times Free Press. "That's why we engaged in the additional expense of encryption."

To learn more:
- read the HHS settlement agreement
- see the Computerworld article
- check out the Nashville Business Journal article
- read the CMIO article
- check out the Chattanooga Times Free Press article

Related Articles:
Tennessee Blues spent $6M to encrypt data
Data breaches: Another opportunity for bad publicity
Aetna exclusive: How IT tools cut costs, improve payer-provider transactions
Take HIPAA seriously--or pay the penalty
Health Net pays $55K fine for data breach involving 1.5M people