BlueCross fine over breach related to HIPAA notification rule
The BlueCross BlueShield settlement with the Office for Civil Rights is a reminder for health care organizations to bolster their data security, experts said.
In a settlement that should send a message to health care organizations around the nation that the fines are coming if a breach occurs, BlueCross BlueShield (BCBS) of Tennessee must pay a $1.5 million penalty and implement a "corrective action plan."
The resolution agreement this week with the U.S. Department of Health and Human Service's Office for Civil Rights (OCR) concerns a 2009 breach that affected more than one million members.
In the fall 2009, 576 unencrypted computer hard drives were stolen from a data storage closet in Chattanooga, Tenn. during a move to a new facility. The data included audio recordings of customer support calls and screenshots of what BCBS call center staff saw when handling the calls.
BCBS reported the breach to the OCR, which began an investigation into the matter. While this resolution may seem like a slap on the wrist compared to the $4.3 million fine Cigna received for its privacy violation in February 2011, BCBS cooperated with the government early in the investigation.
“I think they were relatively lenient if you look at the amount of records and the way the actual theft occurred,” Michael Davis, CEO of Savid Technologies, a Chicago- based technology and security firm specializing in risk management, told SCMagazine.com on Thursday. “Cigna did not cooperate with the OCR very well. Because of that they were fined another $3 million, yet they only had [fewer] than 60 records breached.”
Kirk Nahra, a partner at Wiley Rein LLP, a law firm that specializes in health care and information security, said this settlement should serve as a wake-up call for the industry as a whole.
“It's probably the most significant settlement that we've seen under HIPAA (Health Insurance Portability and Accountability Act),” Nahra told SCMagazine.com on Thursday. “It sends a message that you really have to be taking care of your data. Historically health care organizations haven't had these obligations.”
The OCR launched a breach notification website in February 2010 as a requirement of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a bill that promotes the use of health information technology. HITECH, passed as part of the 2009 economic stimulus bill, is intended to strengthen the protection of identifiable health information by expanding the scope of HIPAA.
The website has received an average of 17 reports per month. Since March 13, more than 400 entities have reported breaches of personal health information (PHI) that was unsecured, affecting more than 500 people in each case.
According to the 2011 "Verizon Data Breach Investigations Report", the PHI of health care organizations is a big target for attackers, a fact which Davis agrees with since he believes the industry is lagging behind in data security when compared to other verticals.
“You have to look at your data and realize that if you have a lot of data in one spot, it's going to be risky,” Davis said. “With so many records being released, you should have been doing a lot more security controls.”
Adam Greene, a partner at David, Wright, Tremaine LLP, said the government will start cracking down on these breaches since they have “a lot of flexibility to bring extremely high settlements to bare.”
“I think the health care industry overall has a ways to go in information security, and they recognize it,” Greene said. “This settlement sends an important message with respect to making sure you know where your PHI is.”
BCBS has said there have been no reports of the compromised data being misused.
UPDATE: In a statement from BlueCross BlueShield of Tennessee, Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said the company has "worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times."
[An earlier version of this story incorrectly stated that Cigna was the subject of privacy violations and fines, when it was actually Cignet].