Blue Cross Blue Shield of Tennessee (BCBST) recently agreed to a settlement stemming from a 2009 data breach. The settlement calls for BCBST to pay the U.S. Department of Health and Human Services (HHS) $1.5 million stemming from the theft of 57 unencrypted computer hard drives containing protected health information (PHI) for over 1 million individuals. BCBST reportedly incurred nearly $17 million in costs stemming from the investigation, notification requirements and protection efforts.
Pursuant to HITECH, HIPAA covered entities must promptly report data breaches affecting at least 500 individuals. Notice of the breach must be provided to affected individuals, the media and HHS.
In addition to the monetary settlement, BCBST agreed to a corrective action plan to remedy its HIPAA compliance program. The company must review, update, and maintain its privacy and security policies and procedures. Additionally, BCBST must monitor and report on its own adherence to the corrective action plan and regularly conduct HIPAA/HITECH training.
Proactive implementation of appropriate security measures can greatly reduce the risk of security breaches and can enhance the negotiating position in responding to governmental authorities if a breach occurs. Additionally, prompt investigation, reporting and mitigation strategies can significantly reduce the cost of a data breach.
If you have questions about how this may impact your business, please contact Sean Stadelman (267.519.6850, firstname.lastname@example.org) or another member of the Goldberg Segalla Professional Liability Practice Group.