A data breach can affect any organization that handles sensitive information. From a data breach hospital incident involving protected health information to large-scale financial sector exposures, the root causes are often the same. Poor oversight, weak vendor controls, and improper data destruction continue to put sensitive data at risk. These issues appear across data breach HIPAA cases, insurance providers, and major financial institutions.
At e-Waste, we’ve been covering data breaches for more than a decade. In 2012, we published the following article after a major data breach at Blue Cross Blue Shield, which helped shape how HIPAA enforcement is viewed today.
Blue Cross Blue Shield HIPAA Data Breach (2012)
The article below is preserved exactly as it was originally published in 2012 and is included as historical context.
BCBST Pays $1.5 Million to HHS to Settle Potential HIPAA Privacy and Security Violations
On March 13, 2012, Blue Cross Blue Shield of Tennessee (BCBST) agreed to a payment of $1.5 million to the Department of Health and Human Services (HHS) and to a corrective action plan as part of a Resolution Agreement with HHS for potential violation of Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations. According to a HHS Press Release of the same date, “the enforcement action [by HHS’ Office for Civil Rights (OCR)] is the first resulting from a breach report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.”
According to the HHS Press Release:
“The investigation followed a notice submitted by BCBST to HHS reporting that 57 unencrypted computer hard drives were stolen from a leased facility in Tennessee. The drives contained the protected health information (PHI) of over 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers. OCR’s investigation indicated BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.
“‘This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,’ said OCR Director Leon Rodriguez. ‘The HITECH [Act] Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.’”
In Appendix A (Corrective Action Plan) to the Resolution Agreement, pay particular attention to the provisions of Section VI (Corrective Action Obligations):
A. Policies and Procedures
B. Distribution and Updating of Policies and Procedures
C. Minimum Content of the Policies and Procedures and Reportable Events
D. Training
E. Monitoring
The content of these provisions provides excellent guidance on procedures underpinning compliance efforts and consequences of non-compliance.
Credit: Ed Jones, Author & Healthcare Authority
This data breach involving Blue Cross Blue Shield highlights the same risks hospitals and healthcare systems face today when devices, documents, or media containing patient data are not properly secured or destroyed.
Recent Data Breach: Bank of America
More recently, a data breach at Bank of America demonstrated how third-party vendors can become a weak point. In this incident, a vendor failed to properly destroy sensitive documents, leading to the exposure of customer information.
This data breach involving Bank of America mirrors what hospitals, insurers, and other regulated organizations continue to face when vendor oversight and data disposal practices fall short.
The Ongoing Pattern
Whether it’s a data breach at a hospital, a data breach HIPAA case, the pattern remains the same: inadequate controls and improper data destruction lead to preventable breaches.
Data breaches are often preventable with the right controls in place.
Contact us to make sure your company’s data destruction and recycling practices don’t put you at risk.
