BlueCross BlueShield of Tennessee, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
BlueCross BlueShield of Tennessee (BCBST) has experienced multiple data breaches over the years, with significant consequences.
2009 Breach and Settlement
The most notable incident occurred on October 2, 2009, when 57 unencrypted computer hard drives were stolen from a leased call-center facility that had recently closed. These drives contained sensitive information, including member names, Social Security numbers, diagnosis codes, dates of birth, and health plan identification numbers, affecting more than 1 million individuals[1][6]. An investigation by the Department of Health and Human Services’ Office for Civil Rights (OCR) found that BCBST failed to implement appropriate administrative and physical safeguards to protect the information[1]. As a result, BCBST agreed to pay a $1.5 million settlement and carry out a corrective action plan, which included revising privacy and security policies, conducting regular training, and ensuring compliance with the corrective action plan[1]. This settlement was the first enforcement action directly resulting from the HIPAA breach notification rule established by the HITECH Act[1].
Subsequent Breaches
BCBST has also been affected by other breaches. In 2020, a cyberattack on EyeMed, BCBST’s vision care vendor, potentially impacted approximately 1,300 members. The unauthorized access occurred on July 1, 2020, and the compromised information included full names, addresses, dates of birth, and Social Security numbers[9][12]. EyeMed offered two years of free credit monitoring services to the affected individuals[9].
Another incident in 2023 involved a hack of the MOVEit Transfer tool used by BCBST’s business associate NASCO for file transfers. This breach affected the protected health information of 1,665 BCBST members, including health insurance numbers, group numbers, claim information, medical ID numbers, dates of service, procedure codes, and provider names[2][3]. NASCO notified the affected BCBST members and offered 24 months of identity monitoring services[3].
Lessons Learned and Actions Taken
Following the 2009 breach, BCBST took several steps to improve security, such as encrypting all stored data, adding physical security layers to protect servers, appointing a chief security officer, and assessing data retention policies[6]. The company also prepared a breach notification plan and pre-selected a list of vendors to help with various tasks in case of future incidents[6].
Legal and Financial Implications
The financial impact of the 2009 breach on BCBST was significant, with nearly $17 million spent on investigation, notification, and protection efforts[1]. The legal implications included the aforementioned $1.5 million settlement with HHS and the requirement to implement a corrective action plan[1].
In summary, BCBST has faced multiple data breaches, with the 2009 incident being the most severe in terms of the number of individuals affected and the financial and legal consequences for the company. BCBST has since taken measures to enhance its data security and comply with regulatory requirements.
Citations:
- https://www.databreachtoday.com/bcbs-tenn-gets-15-million-penalty-a-4583
- https://www.hipaajournal.com/december-healthcare-data-breach-round-up/
- https://bcbstnews.com/pressreleases/nasco-moveit-breach-impacts-individuals-with-bluecross-coverage/
- https://bcbstnews.com/pressreleases/nascomoveitnotice/
- https://www.doj.nh.gov/consumer/security-breaches/documents/blue-cross-20100331.pdf
- https://www.healthcareinfosecurity.com/bcbs-tenn-breach-lessons-learned-a-2549
- https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/bcbst/index.html
- https://apps.web.maine.gov/online/aeviewer/ME/40/b99afd7b-db72-4718-9513-581c1a090777.shtml
- https://bcbstnews.com/pressreleases/eyemed-announces-cyberattack-offers-protection-for-affected-bcbst-members/
- https://www.healthcareinfosecurity.com/bcbs-notifying-520000-about-breach-a-2187
- https://www.tennessean.com/story/money/industries/health-care/2015/01/13/bluecross-blueshield-mailing-violates-act/21718185/
- https://www.timesfreepress.com/news/2020/dec/22/bluecross-visivendor-hackeddatbreach-hits-130/
- https://law.justia.com/cases/federal/appellate-courts/ca6/18-5897/18-5897-2019-06-04.html
- https://www.computerworld.com/article/2730856/tennessee-insurer-to-pay–1-5-million-for-breach-related-violations.html
- https://www.healthcareinfosecurity.com/tennessee-breach-case-grows-to-1-million-a-2409
- https://www.hipaajournal.com/error-bluecross-blueshield-tennessee-causes-hipaa-privacy-rule-violation/
- https://hipaahealthlaw.foxrothschild.com/2010/01/articles/hitech-act/tennessee-blues-data-theft-may-impact-500000-members/
- https://law.justia.com/cases/tennessee/supreme-court/2019/m2015-02524-sc-r11-cv.html