BlueCross BlueShield of Tennessee penalized for theft of 57 hard drives.
March 14--BlueCross BlueShield of Tennessee said Wednesday it will pay a $1.5 million penalty to the federal government to settle potential violations of patient information rules stemming from the 2009 theft of 57 hard drives from the insurer.
The hard drives were stolen from a data storage closet at a former BlueCross BlueShield call center near Chattanooga. They contained protected health information of more than 1 million BlueCross customers including their names, Social Security numbers, diagnosis codes, dates of birth and health plan identification numbers.
The theft was investigated by the U.S. Department of Health and Human Services Office for Civil Rights, which said the company "failed to implement appropriate administrative safeguards to adequately protect information" at the facility and did not have adequate facility access controls. Both failures violated requirements of the Health Insurance Portability and Accountability Act.
The company also agreed to a 450-day corrective action plan to address gaps in its HIPAA compliance program, HHS said.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in a statement.
Since the theft, the company has spent nearly $17 million in its investigation, notification and protection efforts, it said.
The penalty is the first from a security breach report required by the Health Information Technology for Economic and Clinical Health rule and the government is clearly making an example of BlueCross.
"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered and monitored HIPAA compliance program," said OCR Director Leon Rodriguez.
BlueCross will also have to review, revise and maintain its privacy and security policies and procedures.
BlueCross BlueShield of Tennessee is the state's largest health insurer with more than 3 million members. The company is independent of other BlueCross companies and is a not-for-profit organization, though not a charity.