First Data Breach Settlement Under HITECH--$1.5 million

HHS reached a settlement on March 12, 2012 with Blue Cross Blue Shield of Tennessee (“BCBST”) for $1.5 million stemming from a 2009 data breach. This settlement represents the first under the HITECH Act. 

Pursuant to its obligations under the HITECH Act, BCBST notified the United States Department of Health and Human Services Office for Civil Rights (“OCR”) that 57 unencrypted hard drives had been stolen from a locked closet in a facility that BCBST was not occupying at the time. (BCBST was in the process of moving to a new facility.) The locked data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock. In addition, the property manager provided general facility security services. The drives included protected health information that belonged to approximately 1 million individuals. This ultimately prompted an OCR investigation that found that BCBST failed to implement appropriate administrative safeguards since it had not performed a required security evaluation in response to operational changes (i.e., its process of moving to a new location) and that it had failed to provide physical safeguards to adequately protect the information. 

Although the settlement with OCR was for $1.5 million, several reports stated that BCBST has spent more than $17 million over the two and a half year period responding to the data breach itself in relation to the investigation, notification and protection efforts. In addition, BCBST is required to implement a corrective action plan that includes random auditing of BCBST portable devices and electronic data storage devices including unannounced site visits to facilities housing portable devices.


Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.