© 2024 Arizent. All rights reserved.
Views

Blues plan gets nailed for HIPAA security breach. No one is outraged because … ?

March 14, 2012, 3:42 p.m. EDT 4 Min Read

 

The Department of Health and Human Services announced Tuesday that Blue Cross Blue Shield of Tennessee agreed to pay the agency $1.5 million to settle a potential HIPAA violation — the first resulting from a breach under the HITECH Act’s (Health Information Technology for Economic and Clinical Health) breach notification rule, which requires that requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to HHS and the media.
So, obviously you’ve heard about this a million times already on CNN and other news outlets, right? Yeah, didn’t think so.
I Googled “blue cross blue shield tennessee, hitech” when I saw the HHS press release and you know where this story is covered? In trade press — entities like Computer World and Modern Healthcare. Well respected publications, to be certain, but I guarantee you that when Zappos and Facebook experienced similar information security breaches recently, you didn’t hear about it from Computer World.
At that, to be blunt, makes me furious.
According to HHS, BCBST had 57 unencrypted computer hard drives stolen from a leased facility in Tennessee. The drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. Not only did BCBST fail to implement appropriate administrative safeguards to protect information, but also failed to implement appropriate physical safeguards by not having adequate facility access controls — both of these safeguards are required by the HIPAA Security Rule.
So, an information breach that involves individuals’ partial credit card information, shoe-buying habits and status updates is the making of a national news story, but a breach of their private health information and social security numbers is a big yawn? Where is the national coverage? Where is the public outrage? Anybody?
Sigh. 
Apparently, in addition to having to fork over $1.5 million, BCBST is required to review, revise and maintain its privacy and security policies and procedures, conduct regular and robust trainings for all employees with HIPAA responsibilities and perform reviews to ensure future compliance.
That’s great and all, but one could argue that a brighter spotlight should be on this so that employers and individual plan members could decide whether or not they’d like to take their business elsewhere.
What do you think? Share your thoughts in the comments. 

 

The Department of Health and Human Services announced Tuesday that Blue Cross Blue Shield of Tennessee agreed to pay the agency $1.5 million to settle a potential HIPAA violation — the first resulting from a breach under the HITECH Act’s (Health Information Technology for Economic and Clinical Health) breach notification rule, which requires that requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to HHS and the media.

So, obviously you’ve heard about this a million times already on CNN and other news outlets, right? Yeah, didn’t think so.

I Googled “blue cross blue shield tennessee, hitech” when I saw the HHS press release and you know where this story is covered? In trade press — entities like Computer World and Modern Healthcare. Well respected publications, of course, but I'm almost certain that when Zappos and Facebook experienced similar information security breaches recently, you didn’t hear about it from Computer World.

At that, to be blunt, makes me furious.

According to HHS, BCBST had 57 unencrypted computer hard drives stolen from a leased facility in Tennessee. The drives contained the protected health information of more than 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. Not only did BCBST fail to implement appropriate administrative safeguards to protect information, but also failed to implement appropriate physical safeguards by not having adequate facility access controls — both of these safeguards are required by the HIPAA Security Rule.

So, an information breach that involves individuals’ partial credit card information, shoe-buying habits and status updates is the making of a national news story, but a breach of their private health information and social security numbers is a big yawn? Where is the national coverage? Where is the public outrage? Anybody?

Sigh. 

Apparently, in addition to having to fork over $1.5 million, BCBST is required to review, revise and maintain its privacy and security policies and procedures, conduct regular and robust trainings for all employees with HIPAA responsibilities and perform reviews to ensure future compliance.

That’s great and all, but one could argue that a brighter spotlight should be on this so that employers and individual plan members could decide whether or not they’d like to take their business elsewhere.

What do you think? Share your thoughts in the comments. 

 

 

For reprint and licensing requests for this article, click here.
MORE FROM EMPLOYEE BENEFIT NEWS