HHS reached a settlement on March 12, 2012 with Blue Cross Blue Shield of Tennessee (“BCBST”) for $1.5 million stemming from a 2009 data breach. This settlement represents the first under the HITECH Act.
Pursuant to its obligations under the HITECH Act, BCBST notified the United States Department of Health and Human Services Office for Civil Rights (“OCR”) that 57 unencrypted hard drives had been stolen from a locked closet in a facility that BCBST was not occupying at the time. (BCBST was in the process of moving to a new facility.) The locked data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. In addition, the property manager provided general facility security services. The drives included protected health information that belonged to approximately 1 million individuals. This ultimately prompted an OCR investigation that found that BCBST failed to implement appropriate administrative safeguards since it had not performed a required security evaluation in response to operational changes (i.e., its process of moving to a new location) and that it had failed to provide physical safeguards to adequately protect the information.
Although the settlement with OCR was for $1.5 million, several reports stated that BCBST has spent more than $17 million over the two and a half year period responding to the data breach itself in relation to the investigation, notification and protection efforts. In addition, BCBST is required to implement a corrective action plan that includes random auditing of BCBST portable devices and electronic data storage devices including unannounced site visits to facilities housing portable devices.