BlueCross BlueShield of Tennessee has entered into a resolution agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules. The agreement includes a $1.5 million penalty and a 450-day corrective action plan.
The settlement covers the 2009 theft of 57 hard drives from a data storage closet at a former BlueCross call center located in Chattanooga. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included varying degrees of personal information on about 1 million members. To date, there is no indication of any misuse of personal data from the stolen hard drives, says BlueCross BlueShield.
The company’s response to the crime included the encryption of all its at-rest data—a voluntary effort which goes above and beyond current industry standards.In total, the company says it has spent nearly $17 million in investigation, notification and protection efforts.
The corrective action plan that BlueCross will follow includes providing HHS with current written policies and procedures specific to protected health information and individually identifiable health information, and monitoring its workforce to ensure training and enforcement of policies and procedures