TRH Health Plan notifies 80,000 members after BCBS of Tennessee improperly used personal info
Holly Fletcher reports: TRH Health Plan, a not-for-profit service company of Farm Bureau, has contacted some members about information that was inappropriately used by BlueCross BlueShield of Tennessee, an administrative partner with the health plan. “They have the right to have (the information), but didn’t have the right to use for marketing,” said Ryan Brown, general counsel at TRH in Columbia. TRH mailed letters to about 80,000 members on Jan. 9 informing them that BlueCross BlueShield of Tennessee inappropriately accessed their names and addresses to create marketing materials. The misuse is a violation of the Health Insurance Portability and Accountability Act. Read more on The Tennessean.
You can do everything right, but still incur penalties – lessons learned from BCBS of Tennessee
Deborah Johnson Pyles writes: One of the lessons from the recent settlement agreement entered into by Blue Cross/Blue Shield of Tennessee with the Department of Health and Human Services is that doing everything right may not be enough. The settlement concerned alleged violations of Health Insurance Portability and Accountability Act privacy and security laws arising from the theft of 57 computer hard drives containing 1,023,209 members names, ID numbers, diagnosis codes, dates of birth, and social security numbers. The hard drives were left in a locked closed in office space that BCBSTN vacated as it moved operations to a new location. Read more on ID Experts.
BCBS of Tennessee provides update on breach involving stolen hard drives
Approximately one year after the theft of 57 hard drives containing member data from a leased facility in Chattanooga, BlueCross Blue Shield of Tennessee provided an update on the breach to the New Hampshire Attorney General’s Office. BCBS had assigned the affected individuals to one of three “tiers.” Tier 1 included those whose Social Security Numbers were involved, Tier 2 included those who had no SSN but who had diagnostic or health information as well as other personal information, and Tier 3 included those who had some forms of personally identifiable information but no SSN and no health information. According to their letter dated October 15, the total number of individuals affected was 1,023,209. Of those, 451, 274 individuals were Tier 1, while 319,325 were Tier 2, and 239,730 were Tier 3. To date, BCBS has received less than 10 requests for credit restoration services from individuals in Tier 1, and does not believe that those 10 cases were due to the breach although they approved and paid for the credit restoration services. The company says that it will continue to monitor for potential harm to its members and to cooperate with law enforcement in investigating the theft but has, by now, notified everyone whose identity could reasonably be determined from the drives. Previous coverage of this breach on PHIprivacy.net can be found here.
BCBS of Tennessee still notifying individuals of breach
Almost six months after the theft of 57 hard drives from their Chattanooga facility, BlueCross BlueShield of Tennessee is still in the process of notifying individuals of the breach, according to an update to the new Hampshire Attorney General’s Office dated March 31 (pdf). Update: Note that as of this month, the number of individuals affected by or being notified about the breach has risen to 998,442.
Update: BCBS of Tennessee to start sending notifications
John Commins updates us on the Tennessee BlueCross BlueShield breach: BlueCross BlueShield of Tennessee is readying a Nov. 30 mass mailing to some of its 3.1 million customers in the Volunteer State who may have had their Social Security numbers and other private data compromised after an Oct. 2 hard drive theft at a remote training facility in Chattanooga. “It’s going to be a progression of mailings, with those who would be most at risk receiving the first mailings, depending upon how many people had a Social Security number compromised,” says BCBST spokeswoman Mary Thompson. […] Meanwhile, local, state, and federal law enforcement officials have been called in to investigate the Oct. 2 theft of three 3.5″ X 10″ hard drives, which were physically removed from server racks on computers inside a data storage closet at a training center located in a strip mall. “We were using the information on those drives for training purposes. We were auditing our [customer service representatives] to ensure that they were delivering the correct information and servicing providers correctly and using it for training of new CSRs,” Thompson says. […] In the past several weeks, Thompson says BCBST has had as many as 800 people—including employees from a private security company—working at any given time on the arduous task of analyzing more than 300,000 screen shots and about 50,000 hours of audio data to identify potential breaches. Read more on Health Leaders Media. Is anyone else confused by the reference to three hard drives? Earlier reports talked about 57 hard drives and then 68.
HHS settles HIPAA case with Blue Cross Blue Shield of Tennessee for $1.5 million following theft of 57 computer drives
From HHS: Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule. “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan. HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis. Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. The HHS Resolution Agreement can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ resolution_agreement_and_cap.pdf. Additional information about OCR’s enforcement activities can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html. Previous coverage on DataBreaches.net linked from here.
HHS settles HIPAA case with Blue Cross Blue Shield of Tennessee for $1.5 million following theft of 57 computer drives
From HHS: Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today. BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule. “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan. HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media. Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis. Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. The HHS Resolution Agreement can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ resolution_agreement_and_cap.pdf. Additional information about OCR’s enforcement activities can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.
(follow-up) BCBS of Tenn. Encrypts All Stored Data
After BCBS of Tennessee had that horribly time-consuming and costly breach involving 57 tapes with oodles of personal and protected health information that they had to wade through, they apparently learned their lesson. Howard Anderson writes: BlueCross BlueShield of Tennessee, which experienced a health information breach affecting nearly 1 million individuals in 2009, has completed the encryption of all its stored data. In the aftermath of the October 2009 incident, which involved the theft of 57 unencrypted hard drives from servers at a call center that had recently closed, officials at the insurer last year described security steps they planned to take, including widespread use of encryption (see: BCBS of Tenn. Breach: Lessons Learned). The Blues plan now says it has invested more than $6 million and 5,000 man-hours in encrypting all data at rest, a total of 885 terabytes of information. That includes patient information on computer hard drives, servers and removable media. Read more on HealthcareInfoSecurity.com
BCBS of Tenn. Breach: Lessons Learned
Howard Anderson writes: In the wake of an information breach affecting nearly 1 million people, executives at BlueCross BlueShield of Tennessee have many lessons to share and plenty of advice to offer. On Oct. 2, 2009, someone stole 57 unencrypted hard drives from servers at a call center the insurer had recently closed. So far, there have been no arrests, nor any evidence of fraud committed, the company reports. […] Among the actions the Tennessee plan has taken and the lessons it has learned are: Adding a layer of physical security to protect servers is a prudent step. Encryption should be applied widely, including on servers. Appointing a chief security officer helps to ensure coordination of all security efforts. Organizations should carefully assess how long to store information. In preparing a breach notification plan, be sure to prepare a pre-selected list of vendors that can help with various tasks. Train customer service representatives to deal with breach-related questions from the public. Communicate frequent updates on breach investigations through the media and a Web site. Read more on HealthInfoSecurity.com. Interestingly, one of the lessons that I think everyone should have learned from this incident is not included in their list: think about recording calls for quality assurance purposes and ensure you have a way to retrieve PII and PHI if need be — and securely destroy such data on a frequent and regular basis. BCBS spent extraordinary time trying to figure out what was on the audio tapes. Of course, if strong encryption is used, some of that might not be necessary. Previous coverage of the BCBS Tennessee breach can be found in these earlier blog entries.
BCBS of TN issues breach notification for stolen hard drive
Remember the BlueCross breach in Chattanooga from October. First it was 57 hard drives, then 68, then 3, then 1, depending on which report you read. Now it’s 57 again, it seems. Today, Blue Cross issued a breach notification on its web site, as required by the new HITECH Act: Required Substitute HITECH Act Notice Regarding BlueCross Hard Drive Theft Editor’s Note: BlueCross BlueShield of Tennessee has issued this press release as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) and its implementing regulations. CHATTANOOGA, Tenn. — On Monday, Oct. 5, 2009 at 10 a.m., BlueCross BlueShield of Tennessee, Inc. employees discovered a theft of computer equipment at a network closet located in its former Eastgate Town Center office location in Chattanooga, Tenn. The theft occurred Friday, Oct. 2, 2009 at approximately 6:13 p.m. BlueCross has established that the items taken include 57 hard drives containing data that was encoded but not encrypted. The hard drives were part of a system that recorded and stored audio and video recordings of coordination of care and eligibility telephone calls from providers and members to BlueCross’ former Eastgate call center located in Chattanooga. The hard drives that were stolen contained data that included protected health information data of some members of the health plan. This data included member names and identification numbers and, on some but not all recordings, a diagnosis/diagnosis code, date of birth and/or a Social Security number. BlueCross immediately investigated the breach and strengthened the existing security measures at the Eastgate Town Center where space was being leased. BlueCross is obtaining an independent assessment of system-wide data and facility security. BlueCross has placed information on its Web site www.bcbst.com to provide its members information about this theft. The information includes the link to the Federal Trade Commission Web site, www.ftc.gov, where members can find information on steps they can take to protect against identity theft. Members can contact the BlueCross Eastgate Response Customer Call Center at 1-888-422-2786 to find out more information. The back-up data of the stolen hard drives were restored and an exhaustive inventory of all data included on the drives is being conducted by BlueCross and Kroll Inc., a global leader in data security. BlueCross is in the process of sending rolling written notification to members as soon as they are identified as being affected by the data theft. The notification letters, which will be mailed to current and former BlueCross members, will specify the particular call center number that members should call. For any members whose Social Security number is identified at risk, credit monitoring services will be provided free of charge – which also includes up to a million dollars in identity theft insurance. BlueCross has also engaged the services of Kroll to carry out the member notifications and provide its Enhanced Identity Theft Consultation and Restoration Services. Kroll’s Licensed Investigators are available to answer any questions or identity theft concerns. In addition, in the unlikely event a member sustained identity theft as a result of this incident, BlueCross would also provide Identity Theft Restoration service through Kroll. BlueCross has notified the Secretary of the Department of Health and Human Services and the State of Tennessee. BlueCross has also placed a notice with all three credit bureaus regarding this theft. If a member receives a notification letter, the member will then be directed to call one of the numbers below: • BlueCross Eastgate Response Customer Call Center 1-888-422-2786 / 1-866-779-0487 • Members whose Social Security number has been at risk 1-866-599-7347 • [email protected] For up-to-date information related to the Eastgate theft visit the BlueCross Web site at www.bcbst.com. About BlueCross BlueCross BlueShield of Tennessee is the state’s oldest and largest not-for-profit health plan, serving nearly 3 million Tennesseans. Founded in 1945, the Chattanooga-based company is focused on financing affordable health care coverage and providing peace of mind for all Tennesseans. BlueCross serves its members by delivering quality health care products, services and information. BlueCross BlueShield of Tennessee Inc. is an independent licensee of BlueCross BlueShield Association. For more information, visit the company’s Web site at www.bcbst.com. Update: BCBS’s notification to Maryland is now available online.