For anyone who might have fancied that the Health Information Technology for Economic and Clinical Health (HITECH) Act — an Act that addresses the privacy and security concerns associated with the electronic transmission of health information – is a paper tiger, ask BlueCross BlueShield of Tennessee, which last month paid a $1.5 million settlement after losing data on more than 1 million customers as a result of a 2009 burglary.
The resolution of the case is significant when one considers that the patient data at the time of the theft was outside the control of BlueCross. The patient information was on 57 hard drives kept in a secured closet at a former call center that BlueCross had vacated three months earlier.
The penalty, which was the result of a negotiation with U.S. Department of Health and Human Services’ Office of Civil Rights, was the first since the HITECH Act was passed. But the fine was less than 10 percent of the true cost to BlueCross, which so far has spent $17 million in corrective actions.
Fortunately for BlueCross, the thief or thieves who stole the hard drives in an after-hours burglary in Chattanooga, TN, on Oct. 2, 2009, apparently were more interested in the hardware than they were in the data it contained. To date there is no evidence that the information on the drives — which according to the federal civil rights office contained names of members, social security numbers, diagnosis codes, birth dates, and health plan identification numbers – has been compromised, BlueCross said in a statement.
The hard drives were “encoded but not encrypted,” according to a statement by BlueCross. “The retrieval of member data from these drives would require highly specialized expertise and software,” it said in a later statement.
While the value of the hard drives was estimated to be in the thousands of dollars, the actual cost of the burglary to BlueCross, so far $17 million, has made it in the words of one newspaper possibly the “costliest caper” in Chattanooga history.
“Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times,” said Tena Roberson, deputy general counsel and chief privacy officer for BlueCross. Following the burglary, BlueCross had to recover the lost data from backups, identify the customers and providers affected, and then notify each one of the security breach and what actions were available to them. It spent $7 million implementing tighter IT security throughout its operation, including encryption of all at-rest data, which the insurer claims exceeds all current industry standards for security.
The BlueCross data theft is a cautionary tale for other health care providers and insurers, not only as proof that the Health and Human Services’ civil rights office will seek redress for information security violations to HITECH, but also for how much care organizations must take with their data.
What enabled the burglary to occur in the first place was that BlueCross had relocated its staff to another building, vacating the office space, but had left behind servers in a locked network closet. At the end of June prior to the theft, BlueCross had turned over security of the closet to the property management company until the servers could be moved, which was scheduled for November. Even though the closet was secured with biometric and keycard security system (which operated a magnetic lock) and a keyed lock, the thieves were able to get access.
The health insurer was deemed responsible by the Office of Civil Rights even though the data was in the care of another company outside BlueCross. While BlueCross admits no liability as a result of the theft, it agreed to pay the $1.5 million settlement “to avoid the burden and additional expense of investigation and litigation,” according to the resolution agreement with HHS. It also agreed to a “corrective action plan” that it must complete over the next 450 days.