A data breach
that occurred in 2009 and exposed the private personal information for more than a million people led to a recent settlement between a well-known insurer and the federal government.
BlueCross BlueShield of Tennessee recently struck a deal to pay $1.5 million in penalties to the U.S. Department of Health and Human Services as a result of a data breach that violated the Health Insurance Portability and Accountability Act, according to a report from Computer World
. In addition to paying that money, the insurer also has to review and alter its privacy and security policies, as well as train employees regularly on their responsibilities when handling sensitive data.
Leon Rodriguez, director of the HHS Office for Civil Rights, stated this settlement was a major milestone in data breach notification
rules, because it was the first reached as a result of action taken under Health Information Technology for Economic and Clinical Health requirements, the report said.
"This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program," Rodriguez said, according to the site.
The breach itself happened in late 2009 when a thief broke into a training center run by the insurance company and stole 57 hard drives containing unencrypted information on the more than 1 million victims, the report said. The exposed data included about 600,000 recordings of customer calls to the company, and another 300,000 screen shots from call center representatives' computers during those calls. This data contained information of varying types on the victims, though the company believes little or none of it has been used for fraudulent purposes some two and a half years later.
So far, the company has seen costs related to the investigation, notification and mitigation of the breach's causes and effects climb to nearly $17 million, the report said. It devoted as many as 800 full- or part-time employees to review and recompile the lost data.Ondrej Krehel
, the chief information security officer for Identity Theft
911, writes a blog about the issues that may arise for consumers and companies alike following a data breach, and what can be done to keep those concerns minimized.
© IDT911, LLC. All Rights Reserved.