BlueCross BlueShield of Tennessee has announced that it has spent more than $7 million to respond to a security breach that might have compromised members’ personal and health data, the Chattanooga Times Free Press reports.
How did this happen?
In October 2009, 57 hard drives were stolen from a company training facility. The hard drives contained audio and video files with identifying information for up to 500,000 members.
Though BlueCross BlueShield officials say they have not yet encountered any evidence that the missing data have been accessed or misused, the insurer was obligated to notify 220,000 members about the data theft. In addition, BlueCross will notify attorneys general in 32 states about the breach. The 2009 federal economic stimulus package requires such disclosures about health data breaches.
The company is also paying for credit-monitoring services for affected members and has stated that at least 20,500 members have signed up for the services so far. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The company may need to spend significantly more money to evaluate the missing data and provide additional identity protection services.
HIPAA Security rules require that a covered entity notify every potentially affected patient every time the security of protected health information is breached.
