Blues plan gets nailed for security breach. Why is no one outraged?

The Department of Health and Human Services announced in March that Blue Cross Blue Shield of Tennessee agreed to pay the agency $1.5 million to settle a potential HIPAA violation - the first resulting from a breach under the HITECH Act's (Health Information Technology for Economic and Clinical Health) breach notification rule, which requires covered entities to report an impermissible use or disclosure of protected health information of 500 individuals or more to HHS and the media.

So, obviously you heard about this a million times already on CNN and other news outlets, right? Yeah, didn't think so.

I Googled "blue cross blue shield tennessee, hitech" when I saw the HHS press release, and you know where this story is covered? In trade press - entities like Computer World and Modern Healthcare. Well- respected publications, to be certain, but I guarantee you that when Zappos and Facebook experienced similar information security breaches recently, you didn't hear about it from Computer World.

According to HHS, BCBST had 57 unencrypted computer hard drives stolen from a leased facility in Tennessee. The drives contained the protected health information of more than 1 million individuals, including member names, Social Security numbers, diagnosis codes, dates of birth and health plan identification numbers. Not only did BCBST fail to implement appropriate administrative safeguards to protect information, but also failed to implement appropriate physical safeguards by not having adequate facility access controls - both of these safeguards are required by the HIPAA Security Rule.

So, an information breach that involves individuals' partial credit card information, shoe-buying habits and status updates is the making of a national news story, but a breach of their private health information and Social Security numbers is a big yawn?

After writing about the breach and resulting punishment on EBN's blog, Employee Benefit Views, I received a statement from Mary Danielson, the carrier's communications director, who told me that on top of the HHS fine, BCBST has "spent $17 million to identify, notify and protect the information of our members. Those efforts included directly mailing each affected member, providing free credit monitoring to the most at-risk customers and offering the Kroll ID TheftSmart program to all others impacted by the theft. In addition, we encrypted all at-rest data within the company - a project so far above industry standards for protecting customer information that Consumer Reports called it a 'refreshing change' and stated BlueCross 'acted much the way Consumer Reports thinks breached companies should.' We hope our efforts have demonstrated our sincere concern for data security and that we have regained our members' full trust."

I'm glad BCBST has taken the matter seriously. But my quibble isn't with the carrier's response to the breach; my issue is with the lack of coverage about it in general. One could argue that a brighter spotlight should have been placed on this so employers and individual plan members could decide whether or not they'd like to take their business elsewhere.

Send letters, queries and story ideas to Editor-in-Chief Kelley M. Butler at kelley.butler@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Compliance
MORE FROM EMPLOYEE BENEFIT NEWS