By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    HIPPA compliance
    How Medical Office Staff Can Make Your Practice HIPAA Compliant
    October 29, 2021
    Everything you need to know about hyaluronic acid treatment
    Everything you need to know about hyaluronic acid treatment
    February 10, 2022
    Which Mushroom Capsules Are Good for Your Health?
    May 5, 2022
    Latest News
    6 Easy Healthcare Ways to Sit Less and Move More Every Day
    September 10, 2025
    7 Most Common Healthcare Accreditation Programs: Which Should You Use?
    August 20, 2025
    Hospital Pest Control and the Fight Against Superbugs
    August 20, 2025
    Hygiene Beyond The Clinic: Attention To Overlooked Non-Clinical Spaces
    August 13, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Extending the Frontiers: Working Despite Alzheimer’s and Campus Smoking Bans
    September 1, 2011
    Wall Street Protesters Need a Cause Like Healthcare
    October 6, 2011
    Maps 2.0: Interacting With Our Health Care World
    November 14, 2011
    Latest News
    Healthcare at a Crossroads: Why Leadership Matters More Than Ever
    September 9, 2025
    How Social Security Disability Shapes Access to Care and Everyday Health
    August 22, 2025
    How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
    August 22, 2025
    How One Fall Can Lead to a Long Road of Medical Complications
    August 22, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Total Cost of a HIPAA Violation: 18.5 Million
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Medical Records > Total Cost of a HIPAA Violation: 18.5 Million
Medical Records

Total Cost of a HIPAA Violation: 18.5 Million

onlinetech
onlinetech
Share
4 Min Read
SHARE

Who: Blue Cross Blue Shield of Tennessee (BCBST)

Who was affected: Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.

What: 57 unencrypted hard drives were stolen from a leased facility in Tennessee, out of a data storage closet. According to the resolution agreement, the BCBST were relocating staff from the facility and had not yet moved the servers from the closet to their new location.

Who: Blue Cross Blue Shield of Tennessee (BCBST)

More Read

Why Blockchain In Healthcare Could Be A Game Changer For EHRs
ePatients: What’s the Big Deal?
The Importance Of Cybersecurity In The Healthcare Sector
Health Information Technology: Whistling by the Graveyard
Interactive: A Status Report on Health Information Technology in the States

Who was affected: Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.

What: 57 unencrypted hard drives were stolen from a leased facility in Tennessee, out of a data storage closet. According to the resolution agreement, the BCBST were relocating staff from the facility and had not yet moved the servers from the closet to their new location.

Charged with: The OCR (Office of Civil Rights, official HIPAA-enforcement entity) found the BCBST failed to have ‘adaquate facility access controls,’ according to their press release. This put them in violation of implementing the appropriate physical safeguards as listed in the HIPAA Security Rule.

They were also found in violation of the administrative safeguards by failing to perform a security evaluation after operational changes.

What they could have done differently: Encrypt all data at rest, including their archived data stored on hard drives. This is a strongly recommended best practice for healthcare organizations that need to meet HIPAA compliance.

They also could have chosen to store their data in a secure, offsite location that had the appropriate physical safeguards/access controls, another important feature of HIPAA compliant data centers.

When: BCBST was alerted October 2, 2009 of an unresponsive server at the facility, but didn’t investigate until October 5, 2009. Official completion date of review, audit and affected individual notification was October 29, 2010.

How much did it cost them: Although the settlement case required BCBST to pay HHS 1.5 million, the company has spent nearly $17 million in investigation, notification and protection costs to date, bringing the total to 18.5 million. Affected individuals received free credit monitoring services, free identity monitoring, consultation, and restoration.

What are their next steps: BCBST encrypted all of its at-rest data, which they claim to be “a voluntary effort which goes above and beyond current industry standards.” While it might not be explicitly required by HIPAA standards, it’s pretty close (read Encrypting Data to Meet HIPAA Compliance for tips) :

A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))

BCBST entered a 450 day corrective action plan, which includes sending their written PHI security policies and procedures to HHS, monitoring their employees to ensure they’re trained and following HIPAA compliant policies and procedures, and conduct a risk management plan.

For more on HIPAA violations and the effects of data breaches, try reading How a HIPAA Breach Can Negatively Impact Your Business, or Sutter Health HIPAA Breach: Lessons Learned.

References:
HHS Resolution Agreement
BlueCross, HHS Reach Settlement in 2009 Hard Drive Data Theft
Eastgate Hard Drive Theft
HHS Settles HIPAA Case With BCBST for $1.5 Million

TAGGED:HIPAA violations
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

a woman walking on the hallway
6 Easy Healthcare Ways to Sit Less and Move More Every Day
Health
September 9, 2025
Clinical Expertise
Healthcare at a Crossroads: Why Leadership Matters More Than Ever
Global Healthcare
September 9, 2025
travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025

You Might also Like

icd-10 and HIPAA
FinanceHospital AdministrationMedical RecordsPublic Health

Improve Document Security in the Face of ICD-10: A HIPAA Checklist

March 29, 2014
8 funny icd10 codes his
BusinessFinanceHospital AdministrationMedical RecordsOrthopaedicsRadiology

Eight of the Funniest ICD-10 Codes

March 5, 2014

What I Learned at the HIMSS Conference About Developments in Health IT for the Rest of 2012

March 27, 2012
icd-10 delay
BusinessHospital AdministrationMedical RecordsPolicy & Law

4 Myths About the ICD-10 Delay

May 17, 2014
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?