BlueCross BlueShield of Tennessee Fined $1.5 Million

The Department of Health and Human Services is fining BlueCross BlueShield of Tennessee $1.5 million for the 2009 loss of 57 hard drives that contained unencrypted protected health information (PHI). In addition to the fine, the agency must submit to a 450-day corrective action plan.[1]

In 2009, 57 hard drives were stolen from a data storage closet in a at a former BlueCross call center located in Chattanooga. These drives a range of personal information for approximately 1 million members related to customer service calls from providers and members. While it does not appear there has been any misuse of data, the theft represents a serious breach of PHI. Over the last two and half years, BlueCross BlueShield of Tennessee has spent almost $17 million in costs related to investigation, notification and protection efforts.

With the pressures related to EHR implementations and achieving meaningful use, PHI may not be given the priority it deserves. In fact, Lisa Vaas (Naked Security) reports talking with a Boston area physician about the breech who responded, “HIPAA is important to protect patients’ privacy, but it’s more an impediment than anything,” she told me. “None of us understand it, so we err on the side of not giving each other information, and that slows down the care process.”[2]

This common frustration with HIPPA may cause many healthcare decision-makers to give priority to other IT projects that offer clearer benefits. As a result, there are many facilities who may be vulnerable to the same problem faced by BlueCross BlueShield of Tennessee.

Rick Kam, president and co-founder of ID Experts, told InformationWeek Healthcare that he expects more PHI breaches to surface. He says, “I suspect there will be many other enforcement actions in the news as OCR finds other entities that have had similar lapses in security out of the thousands of complaints OCR looks into each year.”[3]

In the BlueCross BlueShield of Tennessee incident, the OCR investigation determined that there was a failure to implement appropriate administrative safeguards, a failure to perform required security evaluation and a failure to implement appropriate operational safeguards. Maintaining effective IT security and compliance requires an ongoing process that regularly reviews policies and policy implementation, that offer ongoing staff training, and that adheres to an overall security/compliance plan.

How does a CIO convince the organization to invest in the expenses associated with administering an effective plan protecting PHI? Rick Kam recently talked with Healthcare IT News about this topic. He offered several helpful suggestions to CIOs about addressing PHI concerns within an organization.[4]

1. Acknowledge the challenge of communicating PHI concerns to your Executive Team.
Many times, the Executive Teams fail to see the importance of investing in PHI oversight. The challenge is communicating the need to have a plan in place and the value it presents to the organization.
2. Be prepared to address practical concerns on investment costs.
As we’ve stated hear before, CIOs face the challenge of learning how to frame IT investments in business terms. How does it impact the bottom line? What’s the return on investment? How does it further business goals?
3. Prepare a case based on high risk areas.
CIOs can prepare for this conversation by identifying the specific challenges for security in the organization. What are the challenges? What’s the strategy for addressing these challenges? What type of technologies and processes are needed to support this plan for mitigating risks?
4. Translate risks into cost centers.
These initial questions can help the CIO and team define the current and potential cost impact of various security risks, including potential fines, reporting and investigation fees, and associated action plans. These potential costs can yield a specific risk value amount.
5. Presenting IT investment as business case
Now with this little preparation, the CIO is in a better position to offer a solid business case to Executive Team and demonstrate value, highlight best practices, and offer solutions as affordable investments that mitigate potential risk loss events that come at a much higher price tag.

[1] Staff Writer. “BlueCross, HHS Reach Settlement In 2009 Hard Drive Data Theft.” The Chattanoogan, March 13, 2012
[2] Lisa Vaas. “US health insurer fined $1.5m over 2009 data breach.” Naked Security, March 15, 2012 .
[3] Nicole Lewis. “Data Theft Costs Tennessee Blue Cross Big Bucks.” InformationWeek, march 14, 2012 .
[4] Michelle McNickle. “5 things CIOs need to know about funding the protection of PHI.” Healthcare IT News, March 14, 2012

Read more at Intergracon Blog