The Office of Civil Rights of the Department of Health and Human Services (“OCR”) announced a settlement with Blue Cross and Blue Shield of Tennessee this month a compliant alleging a security leak, in violation of HIPAA. The case is interesting factually and resulted in the payment by Blue Cross of a $1,500,000.00 penalty and the imposition of a Corrective Action Plan.
Blue Cross moved out of its leased building space leaving behind leaving behind a data network closet under the control of the landlord. The closet had a biometric and keycard scan security system with a magnetic lock and separate lock with a keyed door. Blue Cross transferred control to the landlord on June 30, 2009 and intended to move the closet hard drives in the first week of November.
The closet contained 57 hard drives encoded with data. The data included 300,000 videos and 1 million audio records regarding customer service calls.
They contained member names, Member IDs, diagnosis codes, Dates of Birth and Social Security numbers. They contained personal health information for 1,023,209 Blue cross members.
On October 2, 2009, the computers in the closet were unresponsive. Blue Cross waited until October 5, 2009 to investigate. The methodology of the thieves by which they were able to breach the security devices or the fact of whether or not the security devices were operative were not disclosed in the settlement.
The Corrective Action Plan requires Blue Cross to engage in an update of its policies and procedures and training of staff and requires ongoing monitoring including interviews of re-trained staff and the random investigation of 25 devices controlled by Blue Cross work force as to appropriate security precautions. This is the first settlement by OCR of a security breach complaint.