Steep fine sends message on patient data protection

The Tennessee Blues’ $1.5 million settlement is seen as a reminder to physicians that the government is taking the mishandling of information seriously.

By Emily Berry — Posted April 2, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The federal government’s first settlement resulting from a health care data breach reported under a part of the 2009 stimulus bill will cost BlueCross BlueShield of Tennessee $1.5 million, on top of what it has spent notifying customers and changing its data security practices.

The settlement should tell physicians that the government “takes security breaches seriously,” said Yarnell Beatty, director of the legal and governmental affairs division for the Tennessee Medical Assn. The rules on what constitutes a patient data breach, how health care entities must deal with them, and what government action those entities must face apply to physician practices.

“It is critical for physicians to have policies and procedures in place to protect [personal health information] — and to update them as needed and follow them!” he said in an email. “HIPAA privacy rules have been in effect long enough for the government to believe it can ramp up enforcement and penalties now.”

Tennessee’s largest insurer says it has spent $17 million dealing with the unintentional exposure of personal information belonging to more than 1 million people. That figure includes the $1.5 million the Blues agreed on March 13 to pay to the U.S. Dept. of Health and Human Services Office of Civil Rights in a settlement. The company did not formally admit wrongdoing.

The settlement is the first action resulting from a breach report required by the Health Information Technology for Economic and Clinical Health Act, according to HHS. The HITECH Act was part of the 2009 stimulus package.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered and monitored HIPAA compliance program,” OCR Director Leon Rodriguez said in a news release. “The HITECH Breach Notification Rule is an important enforcement tool, and OCR will continue to vigorously protect patients’ right to private and secure health information.”

The theft of 57 external hard drives from a BlueCross BlueShield of Tennessee office in October 2009 left patient and physician information exposed, including Social Security numbers in some cases. The drives were never found, and thus far there has been no sign that the data were misused.

“Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times,” Tena Roberson, deputy general counsel and chief privacy officer for the plan, said in a company news release.

The drives, which were stolen from a customer service call center in Chattanooga, contained sound recordings and screen captures from customer service calls.

Personal information linked to more than 1 million people was compromised, according to the Blues. The company paid for one year of credit monitoring and protection for those people, with more intensive services available to those whose Social Security numbers were contained on the drives, along with their names and addresses.

Since the theft, the Tennessee Blues plan says it has spent thousands of hours and millions of dollars upgrading its data security. It encrypted every piece of stored data at a cost of $6 million.

As part of its settlement with federal authorities, BlueCross BlueShield agreed to a 450-day plan to fortify its data security and ensure that its employees are trained to protect privacy.

Tennessee physicians are increasingly aware of their responsibility to keep personal health information private and protected, said Tennessee Medical Assn. spokesman Russ Miller. He said he is sure the Blues plan “learned their lesson from it. That’s a pretty steep fine, but at the same time they are a large company.”

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn