The first major HIPAA/HITECH fee levied


When you think about it, the fine levied by the HHS Office of Civil Rights isn’t all the cost of this HIPAA violation for BlueCross BlueShield of Tennessee. Turns out this was pricier than we thought. According to the law firm of Wilson Sonsini Goodrich and Rosati….

“BlueCross had self-reported the underlying incident under HIPAA’s requirements, and incurred more than $17 million in direct expenses relating to its investigation and remediation of the incident. The HHS investigators faulted BlueCross BlueShield for failing to implement appropriate administrative safeguards to protect information by storing protected health information on unencrypted computer hard drives. Under the settlement, BlueCross BlueShield also agreed to review and revise its healthcare information privacy and security policies, and to train employees regularly for HIPAA compliance.”

The cost of compliance for BCBS of Tennessee has some real bite. It will only take a few of these to get more attention paid to securing healthcare data.

Original Blog appears below.

The HIPAA / HITECH act penalties are beginning to bite. “Last week, BlueCross BlueShield of Tennessee, Inc., agreed to pay $1.5 million to the U.S. Department of Health and Human Services (HHS) for an alleged data security breach. The enforcement action is the first stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in early 2009.”[1]

Now that the HHS Office for Civil Rights is incentivized to audit by being able to keep the money from these fines and is reporting an average of 17 breaches per month, we can certainly expect more fines and for companies to get better at securing customer data.

The Tennessee BlueCross resolution covers the theft of 57 unencrypted hard drives taken from a data closet in a Chattanooga facility that was no loner in use by the company. The unencrypted drives contained recordings of customer service phone calls. But there was no actual misuse of the data.

Although the BlueCross breach involved the theft of physical drives and not hacking, the article goes on to state that, “…the bulk of data breaches are the result of computer-driven intrusion. And many of those thefts, are inside jobs.

The key takeaways here are:

  • The HHS office of Civil Rights is getting aggressive about fining companies that don’t take due care in accordance with the HIPAA / HITECH Act to secure customer personally identifiable information (PII).
  • Keeping disk drives or other sensitive data behind locked doors isn’t enough. Encryption for the data at rest would have likely lowered the fine.
  • Having a data disposal policy and following it should be top of mind for security execs
  • Use Splunk to monitor for inappropriate access to PII based on time of date, positive assignment of caregiver to patient, and comparisons of patient intake data to HR database records to discover possible patient caregiver relationships.
  • Maintain a robust security detection infrastructure and continuously monitor it.
  • Review or create a real security awareness program and get employees to understand the $1.5 million is a lot of money.

[1]$1.5M HHS Data Breach Settlement is First Under HITECH Law, Shannon Green, Corporate Council, March 21, 2012

Posted by