To date, there is no indication of any misuse of personal data from the stolen hard drives, according to BCBST. The company's response included the encryption of all its at-rest data as well as investigation, notification, and protection efforts—to the tune of $17 million, according to its statement. That amounts to about $17 per breached record.
"Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times," Tena Roberson, deputy general counsel and chief privacy officer for BlueCross, said in the statement to HCPro, Inc.
Message in the CAP
In addition to the settlement, BCBST must adhere to its corrective action plan (CAP), which states that the health insurer must:
BCBST must also conduct unannounced audits of BCBST facilities housing portable devices and audit 25 BCBST workforce members who use portable devices.
"That's really something I have not seen before," says Ali Pabrai, MSEE, CISSP, chief executive of ecfirst, home of The HIPAA Academy. "They are making them randomly audit their facilities that house portable devices. The fact they are saying it should be done randomly and unannounced shows they are serious about this."
The interim final rule on breach notification went into effect in August of 2009, only months before the BCBST breach. Pabrai says entities should take note that OCR is willing to go back years to investigate breaches.