HHS settles HIPAA case with Blue Cross Blue Shield of Tennessee for $1.5 million following theft of 57 computer drives

From HHS: Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today.  BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program.  The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee.  The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule. “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan. HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media.  Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis. Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at:  http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. The HHS Resolution Agreement can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ resolution_agreement_and_cap.pdf. Additional information about OCR’s enforcement activities can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html. Previous coverage on DataBreaches.net linked from here.

HHS settles HIPAA case with Blue Cross Blue Shield of Tennessee for $1.5 million following theft of 57 computer drives

From HHS: Blue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director of the HHS Office for Civil Rights (OCR), announced today.  BCBST has also agreed to a corrective action plan to address gaps in its HIPAA compliance program.  The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule. The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee.  The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule. “This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.” In addition to the $1,500,000 settlement, the agreement requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan. HHS Office for Civil Rights enforces the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule gives individuals rights over their protected health information and sets rules and limits on who can look at and receive that health information. The HIPAA Security Rule protects health information in electronic form by requiring entities covered by HIPAA to use physical, technical, and administrative safeguards to ensure that electronic protected health information remains private and secure. The HITECH Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to HHS and the media.  Smaller breaches affecting less than 500 individuals must be reported to the secretary on an annual basis. Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at:  http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html. The HHS Resolution Agreement can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ resolution_agreement_and_cap.pdf. Additional information about OCR’s enforcement activities can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Tennessee: No evidence stolen personal information being used, BlueCross says

Andy Sher reports: No identity theft or credit card fraud has been found stemming from the October theft of 57 computer hard drives containing BlueCross customers’ personal information, a company official told state lawmakers today. “No sir,” Clay Phillips, BlueCross’ director and associate general counsel for state affairs, told Sen. Ken Yager, R-Harriman. “We monitor that daily.” Mr. Phillips said the Chattanooga-based insurer has had a “couple” of notifications that members’ company-issued identification number were “exposed.” But he emphasized that BlueCross officials tracked the cases down and were able to “determine that none of it is the result of this exposure.” BlueCross’ update to Senate State and Local Government Committee members is the latest action the company has taken following the theft of the computer hard drives from an abandoned BlueCross training center at the Eastgate Center in Chattanooga. Read more in the Chattanooga Free Times Press.

TRH Health Plan notifies 80,000 members after BCBS of Tennessee improperly used personal info

Holly Fletcher reports: TRH Health Plan, a not-for-profit service company of Farm Bureau, has contacted some members about information that was inappropriately used by BlueCross BlueShield of Tennessee, an administrative partner with the health plan. “They have the right to have (the information), but didn’t have the right to use for marketing,” said Ryan Brown, general counsel at TRH in Columbia. TRH mailed letters to about 80,000 members on Jan. 9 informing them that BlueCross BlueShield of Tennessee inappropriately accessed their names and addresses to create marketing materials. The misuse is a violation of the Health Insurance Portability and Accountability Act. Read more on The Tennessean.

You can do everything right, but still incur penalties – lessons learned from BCBS of Tennessee

Deborah Johnson Pyles writes: One of the lessons from the recent settlement agreement entered into by Blue Cross/Blue Shield of Tennessee with the Department of Health and Human Services is that doing everything right may not be enough. The settlement concerned alleged violations of Health Insurance Portability and Accountability Act privacy and security laws arising from the theft of 57 computer hard drives containing 1,023,209 members names, ID numbers, diagnosis codes, dates of birth, and social security numbers. The hard drives were left in a locked closed in office space that BCBSTN vacated as it moved operations to a new location. Read more on ID Experts.  

BCBS of Tennessee provides update on breach involving stolen hard drives

Approximately one year after the theft of 57 hard drives containing member data  from a leased facility in Chattanooga,  BlueCross Blue Shield of Tennessee provided an update on the breach to the New Hampshire Attorney General’s Office. BCBS had assigned the affected individuals to one of three “tiers.”  Tier 1 included those whose Social Security Numbers were involved, Tier 2 included those who had no SSN but who had diagnostic or health information as well as other personal information, and Tier 3 included those who had some forms of personally identifiable information but no SSN and no health information. According to their letter dated October 15, the total number of individuals affected was 1,023,209.  Of those, 451, 274 individuals were Tier 1, while 319,325 were Tier 2, and 239,730 were Tier 3. To date, BCBS has received less than 10 requests for credit restoration services from individuals in Tier 1, and does not believe that those 10 cases were due to the breach although they approved and paid for the credit restoration services. The company says that it will continue to monitor for potential harm to its members and to cooperate with law enforcement in investigating the theft but has, by now, notified everyone whose identity could reasonably be determined from the drives. Previous coverage of this breach on PHIprivacy.net can be found here.

(follow-up) TN: BlueCross completes analysis of data theft

Emily Bregel reports: BlueCross BlueShield of Tennessee has wrapped up its assessment of customer data that was stolen in an October 2009 robbery of its abandoned Eastgate Town Center office. The state’s largest health insurer has concluded that nearly 1 million BlueCross members were affected by the theft, the same number stated in an earlier report on the incident. […] BlueCross has spent about $10 million contacting affected enrollees, investigating the theft and arranging for credit restoration services for affected members. Read more in the Chattanooga Times Free Press.

BCBS of Tennessee still notifying individuals of breach

Almost six months after the theft of 57 hard drives from their Chattanooga facility, BlueCross BlueShield of Tennessee is still in  the process of notifying individuals of the breach, according to an update to the new Hampshire Attorney General’s Office dated March 31 (pdf). Update: Note that as of this month, the number of individuals affected by or being notified about the breach has risen to 998,442.

“It is an understatement to say that BlueCross regrets this data breach.”

The breach disclosure notification provided by BCBS of Tennessee to the Maryland Attorney’s General Office has just been made available online.   The detailed letter about the theft of 57 hard drives from a Chattanooga facility, dated December 16, 2009, provides additional insight into the mammoth chore BCBS faced trying to determine what data were on the drives in stored audio and video files and whom to notify when no electronic solution could be found.  The company retained Kroll OnTrack to assist in data recovery and investigation and reports that through the first week of December, between Kroll and BCBS, there were 500 full-time and 300 part-time workers reviewing both the audio and video files and performing data entry. The full-time employees worked on two different shifts six days a week. To date, all 300,000 video files have been reviewed and are being processed and deduplicated for member identification and notification, and approximately 550,000 audio files have been reviewed and are being processed. The third and final set of audio data is currently being reviewed by over 400 full-time Kroll staff…. BlueCross BlueShield’s General Counsel Bill Young notes in the detailed letter: It is an understatement to say that BlueCross regrets this data breach. No doubt. A sample notification letter to affected individuals is also appended to the notification to Maryland. Cross-posted from PHIprivacy.net Update: Robert McMillan followed up and gives us a bit more data: As of Jan. 8, more than 110,000 work-hours had been spent reviewing the material. The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.

"It is an understatement to say that BlueCross regrets this data breach."

The breach disclosure notification provided by BCBS of Tennessee to the Maryland Attorney’s General Office has just been made available online.   The detailed letter about the theft of 57 hard drives from a Chattanooga facility, dated December 16, 2009, provides additional insight into the mammoth chore BCBS faced trying to determine what data were on the drives in stored audio and video files and whom to notify when no electronic solution could be found.  The company retained Kroll OnTrack to assist in data recovery and investigation and reports that through the first week of December, between Kroll and BCBS, there were 500 full-time and 300 part-time workers reviewing both the audio and video files and performing data entry. The full-time employees worked on two different shifts six days a week. To date, all 300,000 video files have been reviewed and are being processed and deduplicated for member identification and notification, and approximately 550,000 audio files have been reviewed and are being processed. The third and final set of audio data is currently being reviewed by over 400 full-time Kroll staff…. BlueCross BlueShield’s General Counsel Bill Young notes in the detailed letter: It is an understatement to say that BlueCross regrets this data breach. No doubt. A sample notification letter to affected individuals is also appended to the notification to Maryland. Update: Robert McMillan followed up and gives us a bit more data: As of Jan. 8, more than 110,000 work-hours had been spent reviewing the material. The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.