Wednesday, March 14, 2012

MSBCBS of TN Settles HIPAA/HITECH Violation for $1.5M

The HHS Office for Civil Rights (OCR) announced a settlement of $1.5M with Blue Cross Blue Shield of Tennessee (BCBST) relating to potential violations under the HIPAA Privacy and Security Rules. According to the OCR press release, the enforcement action by OCR is the first reported as resulting from a breach report required under the new Breach Notification Rule implemented as a result of the HITECH provisions of HIPAA.

The breach involved 57 unencrypted computer hard drives that were stolen from a facility leased by BCBST in Tennessee. The hard drives contained protected health information of approximately 1 million individuals. The breach was reported by BCBST to OCR under the HITECH provisions and regulations that require reporting of potential breaches. The press release indicates that OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

For more information check out the HHS press release "HHS settles HIPAA case with BCBST for $1.5 million" which includes a link to the HHS Resolution Agreement entered into between OCR and BCBST.

1 comment:

Lorraine Emerick said...

Breaches are on the rise. Cyber crime has evolved from the lone hacker into a network of criminals with greater specialization and methods of distribution. Today, it’s easy to become a cyber criminal with the hacking, tools, spyware and botnet rentals available openly online. As a result, entrepreneurial criminals are developing sophisticated business organizations with “associates” by the thousands to fuel the cybercrime supply chain.

Truth is…traditional General/Professional Liability and Property Insurance policies weren’t designed to address the complex cyber risks that threaten client information and compromise networks – leaving organizations and professionals unprotected against privacy lawsuits, loss of revenue, reputation and potentially loss of clients.

Organizations need to understand their exposure to risk and be prepared for the financial impact.