US health insurer fined $1.5m over 2009 data breach

U.S. health insurance company BlueCross BlueShield of Tennessee (BCBST) is being fined $1.5 million for a 2009 data breach in which unencrypted information on some one million BlueCross members was stolen.

According to Computerworld, BCBST is the first company in the US to face the consequences of this particular legislation.

BCBST is an independent licensee of the BlueCross BlueShield Association, which is used by almost 100 million Americans.

The fine comes on top of the $17 million the company has already spent on investigation, notification and protection.

BlueCross BlueShield of of Tennessee has also agreed to a 450-day “corrective action plan” that includes encrypting all at-rest data – a voluntary move that “goes above and beyond current industry standards,” its press release noted.

That action plan includes the insurer handing over to the US Department of Health and Human Services (HHS) its current written security policies and procedures specific to protected health information and individually identifiable health information.

Also, the Chattanooga-based company will monitor its workforce to ensure training and enforcement of policies and procedures.

The settlement, which the insurer announced on Tuesday, relates to alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules and Health Information Technology for Economic and Clinical Health (HITECH) breach notification requirements.

The security breach occurred when 57 hard drives were stolen from a data storage closet at a former BlueCross call center located in Chattanooga, Tennessee.

The drives contained unencrypted data that included about 600,000 audio recordings of customer support calls and more than 300,000 screenshots showing what BlueCross call center staff had on their computer screens as they handled the calls.

According to ComputerWorld, the settlement is the latest in a growing number of HIPAA enforcement actions that HHS has launched over the past year or so. From the article:

Last February, the agency imposed a civil monetary penalty of $4.3 million on health insurer Cignet Health for HIPAA violations, and agreed to a $1 million settlement Massachusetts General Hospital for similar violations.

In July 2011, the University of California at Los Angeles agreed to pay an $865,000 fine and commit to a multi-year program to remedy HIPAA rules violated when hospital staff snooped on the medical records of two celebrity patients.

As far as the corrective action plan goes, BCBST should be lauded for agreeing to train its personnel in policies and procedures.

To date, there’s been no indication of misuse of personal data from the stolen hard drives. Still, this is a strong reminder to the importance of encrypting sensitive data.

I talked to a Boston-area doctor about the incident, and her reaction was similar to that of many in the healthcare field: “HIPAA is important to protect patients’ privacy, but it’s more an impediment than anything,” she told me. “None of us understand it, so we err on the side of not giving each other information, and that slows down the care process.”

I would hope that this enforcement action by HHS sends a message to all healthcare providers and insurers that the onus is theirs when it comes to training and securing personal information.