HHS settles HIPAA case with BCBST for $1.5 million

On March 9, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1,500,000 to settle potential violations of the HIPAA Privacy and Security Rules.  BCBST also agreed to a corrective action plan which includes: reviewing, revising, and maintaining its Privacy and Security policies and procedures; conducting regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA; and performing monitor reviews to ensure BCBST compliance with the plan. The investigation followed a notice submitted by BCBST to HHS in which it was reported that 57 unencrypted computer hard drives containing PHI of over 1 million individuals had been stolen from a leased facility in Tennessee. The enforcement action is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.

Content created by Office for Civil Rights (OCR)
Content last reviewed