First Data Breach Settlement Under HITECH--$1.5 million


HHS reached a settlement on March 12, 2012 with Blue Cross Blue Shield of Tennessee (“BCBST”) for $1.5 million stemming from a 2009 data breach. This settlement represents the first under the HITECH Act. 

Pursuant to its obligations under the HITECH Act, BCBST notified the United States Department of Health and Human Services Office for Civil Rights (“OCR”) that 57 unencrypted hard drives had been stolen from a locked closet in a facility that BCBST was not occupying at the time. (BCBST was in the process of moving to a new facility.) The locked data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. In addition, the property manager provided general facility security services. The drives included protected health information that belonged to approximately 1 million individuals. This ultimately prompted an OCR investigation that found that BCBST failed to implement appropriate administrative safeguards since it had not performed a required security evaluation in response to operational changes (i.e., its process of moving to a new location) and that it had failed to provide physical safeguards to adequately protect the information. 

Although the settlement with OCR was for $1.5 million, several reports stated that BCBST has spent more than $17 million over the two and a half year period responding to the data breach itself in relation to the investigation, notification and protection efforts. In addition, BCBST is required to implement a corrective action plan that includes random auditing of BCBST portable devices and electronic data storage devices including unannounced site visits to facilities housing portable devices.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.