I’m a little late to the game, but I wanted to pass some commentary and make some observations on the recent HHS settlement that Blue Cross Blue Shield of Tennessee agreed to. I’ve covered the data breach since 2009, which had its twists and turns. For example, I was initially led to believe that the stolen hard drives were protected with drive encryption software like AlertBoot.
Then came the updates as BCBS tried to get a grip on what, exactly, was going on. For example, it was initially reported that 68 hard drives were stolen. This was later corrected to 57 hard drives. The hard drives went from being encrypted to “encoded” to unencrypted. The drives only contained training material, then personal data. It was pandemonium all around, playing itself out over a couple of months.
I had blogged in July 2010 that the BCBS of Tennessee saga had “come to a close.” I was wrong, of course. The saga ended earlier this month — nearly two years later — when the health insurance company agreed to settle with the Department of Health and Human Services (HHS) for a cool $1.5 million, as well as agreeing to “corrective action plan to address gaps in its HIPAA compliance program.”
However, I wasn’t completely wrong when I made the 2010 announcement: BCBS had announced that they had completed their data analysis on what was stolen.
It had taken them over six month to finish the analysis because the theft of 57 unencrypted hard drives breached PHI in a format that doesn’t allow easy analysis, and required hundreds of people to go through files one by one:
It also turns out that they’ve got 700 people working on identifying what and who was breached. Why 700 people? The information included video and audio files. I assume that, since there is no reliable way of extracting information from such files, people have to play the files one by one and note whether names, SSNs, and other personal information is found within them.
When you take the above into account, it shouldn’t come as any surprise that in addition to the $1,500,000 settlement, BCBS spent “more than $17 million for investigation, notification, and protection efforts,” according to law.com.
That $17 million figure is a far cry from the estimated $7 million that was bantered about in January 2010.
Another figure was also updated, aside from the cost to put the incident to rest. The number of people affected by the breach increased from an estimated 500,000 to over 1,000,000 people.
What Does This All Mean?
A massive HIPAA breach will not be resolved soon. From start to finish, the situation took approximately 2.5 years to resolve. That’s 2.5 years that BCBS of Tennessee executives had to spend focusing on the wrong stuff. Obviously, the costs associated with a data breach are not relegated to monetary figures alone.
It couldn’t get worse. Or could it? A settlement of $1.5 million is big. In fact, it’s the maximum civil monetary penalty that can be charged in a calendar year under HIPAA / HITECH. Which is weird because this settlement is labeled as a settlement. How do you “settle” for the maximum penalty?
Is this an implication that covered-entities face more than monetary penalties if PHI is breached? If so, what did the HHS give up as a potential penalty to force BCBS into settling for the maximum fine?
The HHS means business and is empowered. This settlement is the first under the HITECH Breach Notification Rule. And, as I noted above, it’s for the maximum allowable under the law. Obviously, the HHS has no qualms in using their newly added powers.
Incidentally, the BCBS fine is not the highest recorded; I know of at least one that is higher. Cignet Health was fined $4.3 million for HIPAA violations. However, $3 million out of the total amount was assessed because Cignet wouldn’t cooperate with HHS. The remainder was assessed because Cignet wouldn’t give patients access to their own medical records.
The BCBS of Tennessee fine is the first penalty that can be directly tied to the Breach Notification Rule. A covered entity might not be required to use encryption under HIPAA and HITECH, but seeing how PHI protected with encryption is given safe harbor from the Breach Notification Rule, you’d have to be crazy not to deploy and use encryption in your organization.
Related Articles and Sites: