{"id":1834,"date":"2012-03-15T00:00:00","date_gmt":"2012-03-15T00:00:00","guid":{"rendered":"http:\/\/otava.test\/total-cost-of-a-hipaa-violation-18-5-million\/"},"modified":"2012-03-15T00:00:00","modified_gmt":"2012-03-15T00:00:00","slug":"total-cost-of-a-hipaa-violation-18-5-million","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/","title":{"rendered":"Total Cost of a HIPAA Violation: 18.5 Million"},"content":{"rendered":"

Who<\/strong>: Blue Cross Blue Shield of Tennessee (BCBST)<\/p>\n

Who was affected<\/strong>: Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.<\/p>\n

What<\/strong>: 57 unencrypted hard drives were stolen from a leased facility in Tennessee, out of a data storage closet. According to the resolution agreement, the BCBST were relocating staff from the facility and had not yet moved the servers from the closet to their new location.<\/p>\n

Charged with<\/strong>: The OCR (Office of Civil Rights, official HIPAA-enforcement entity) found the BCBST failed to have \u2018adaquate facility access controls,\u2019 according to their press release<\/a>. This put them in violation of implementing the appropriate physical safeguards as listed in the HIPAA Security Rule.<\/p>\n

They were also found in violation of the administrative safeguards by failing to perform a security evaluation after operational changes.<\/p>\n

What they could have done differently<\/strong>: Encrypt all data at rest, including their archived data stored on hard drives. This is a strongly recommended best practice for healthcare organizations that need to meet HIPAA compliance<\/a>.<\/p>\n

They also could have chosen to store their data in a secure, offsite location that had the appropriate physical safeguards\/access controls, another important feature of\u00a0HIPAA compliant data centers<\/a>.<\/p>\n

When<\/strong>: BCBST was alerted October 2, 2009 of an unresponsive server at the facility, but didn\u2019t investigate until October 5, 2009. Official completion date of review, audit and affected individual notification was October 29, 2010.<\/p>\n

How much did it cost them<\/strong>: Although the settlement case required BCBST to pay HHS 1.5 million, the company has spent nearly $17 million in investigation, notification and protection costs to date, bringing the total to 18.5 million. Affected individuals received free credit monitoring services, free identity monitoring, consultation, and restoration.<\/p>\n

What are their next steps<\/strong>: BCBST encrypted all of its at-rest data, which they claim to be \u201ca voluntary effort which goes above and beyond current industry standards.\u201d While it might not be explicitly required by HIPAA standards, it\u2019s pretty close (read Encrypting Data to Meet HIPAA Compliance<\/a> for tips) :<\/p>\n

\n

A covered entity must, in accordance with \u00a7164.306\u2026 Implement a mechanism to encrypt and decrypt electronic protected health information.\u201d (45 CFR \u00a7 164.312(a)(2)(iv))<\/p>\n<\/blockquote>\n

BCBST entered a 450 day corrective action plan, which includes sending their written PHI security policies and procedures to HHS, monitoring their employees to ensure they\u2019re trained and following HIPAA compliant policies and procedures, and conduct a risk management plan.<\/p>\n

For more on HIPAA violations<\/a> and the effects of data breaches, try reading How a HIPAA Breach Can Negatively Impact Your Business<\/a>, or Sutter Health HIPAA Breach: Lessons Learned<\/a>.<\/p>\n

References:
\nHHS Resolution Agreement<\/a>
\nBlueCross, HHS Reach Settlement in 2009 Hard Drive Data Theft<\/a>
\nEastgate Hard Drive Theft<\/a>
\nHHS Settles HIPAA Case With BCBST for $1.5 Million<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Who: Blue Cross Blue Shield of Tennessee (BCBST) Who was affected: Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs. What: 57 unencrypted hard drives were stolen from a leased facility in Tennessee, out of a data storage closet. According to the resolution agreement, the BCBST were relocating staff from the facility and had not yet moved the servers from the closet to their new location. Charged with: The OCR (Office of Civil Rights, official HIPAA-enforcement entity) found the BCBST failed to have \u2018adaquate facility access controls,\u2019 according to their press release. This put them in violation of implementing the appropriate physical safeguards as listed in the HIPAA Security Rule. They were also found in violation of the administrative safeguards by failing to perform a security evaluation after operational changes. What they could have done differently: Encrypt all data at rest, including their archived data stored on hard drives. This is a strongly recommended best practice for healthcare organizations that need to meet HIPAA compliance. They also could have chosen to store their data in a secure, offsite location that had the appropriate physical safeguards\/access controls, another important…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1834","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nTotal Cost of a HIPAA Violation: 18.5 Million | OTAVA<\/title>\n<meta name=\"description\" content=\"Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Total Cost of a HIPAA Violation: 18.5 Million\" \/>\n<meta property=\"og:description\" content=\"Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2012-03-15T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Total Cost of a HIPAA Violation: 18.5 Million\",\"datePublished\":\"2012-03-15T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/\"},\"wordCount\":456,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/\",\"url\":\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/\",\"name\":\"Total Cost of a HIPAA Violation: 18.5 Million | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2012-03-15T00:00:00+00:00\",\"description\":\"Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Total Cost of a HIPAA Violation: 18.5 Million\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Total Cost of a HIPAA Violation: 18.5 Million | OTAVA","description":"Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/","og_locale":"en_US","og_type":"article","og_title":"Total Cost of a HIPAA Violation: 18.5 Million","og_description":"Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.","og_url":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/","og_site_name":"OTAVA","article_published_time":"2012-03-15T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Total Cost of a HIPAA Violation: 18.5 Million","datePublished":"2012-03-15T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/"},"wordCount":456,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/","url":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/","name":"Total Cost of a HIPAA Violation: 18.5 Million | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2012-03-15T00:00:00+00:00","description":"Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/total-cost-of-a-hipaa-violation-18-5-million\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Total Cost of a HIPAA Violation: 18.5 Million"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1834"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1834\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1834"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}