[ Thursday, March 15, 2012 ]


Blue Cross Blue Shield of Tennessee pays $1.5 million for HIPAA breach: I know, this is a couple of days old, and some stalwarts like Dom Nicastro are way ahead of me on this, but I've been busy. BCBSTn kept a bunch of computer hard drives in a storage closet at a call center they had closed in Tennessee, and somebody stole a bunch of them. Bad to lose the hardware, but the drives had personal information, including names and SSNs. According to the HHS press release, BCBSTn didn't perform a security analysis about whether it should store hard drives (with data on them) like that, and didn't do sufficient physical security on the building in question.

In addition to the hefty fine, BCBSTn also entered into a settlement agreement where they agreed to a lot of the usual things (review and revise policies and procedures, employee training and the like), but also have to randomly audit the locations where they store portable devices. That seems awfully odd to me -- why not require them to audit all the locations, not random ones?

Also, my first reaction to this story was, I have a small piece of advice for them -- encrypt. When you're doing your full audit of portable devices, why not scramble the data on each one with an encryption program? Well, as it turns out, BCBSTn has spent $17,000,000 on its investigation, notification, and protection efforts with regard to this incident, and has already encrypted all data at rest. Something the rest of you ought to think about. . . .

One key element to this that is definitely worth noting -- this breach occurred in the fall of 2009. I don't know if OCR was negotiating this the whole time, or was late to the investigation, or if BCBSTn was late to report it, but that's an awfully old breach to be paying such a steep price for. I suspect there is NO evidence that the data was used during the 2 and a half years since the theft; however, even though there was no "damage" from the breach in the traditional sense, this is a good example of how it's sort of hard to price the risk of a data breach.

If you want to read more, here's the BNA report (subscription required). Here's the Resolution Agreement and Corrective Action Plan. And more here, here, and here.

Jeff [5:32 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template