HIPAA Violation and Data Loss results in $1.5M Fine for Blue Cross Blue Shield – and Massive Related Costs

The recent penalty on BlueCross BlueShield of $1.5 million to the federal government is a harsh warning to the Healthcare and Insurance industries to ensure effective data protection. The costs of HIPAA violations are severe, and companies need to make certain they employ an effective data protection solution built to address compliance and to simplify data management for IT.

The Real Costs and Penalties of HIPAA Non-Compliance and HIPAA Violation

The fine however is not the only expense of this Data Loss incident. Since the data was lost in 2009, the company has spent around $17 million in costs on investigation, analysis, notification and improved data protection efforts. This is a sure indication of the costs of HIPAA non-compliance, and how the associated costs of data loss are severe.

The data loss, investigated by the U.S. Department of Health and Human Services Office for Civil Rights, which said the company “failed to implement appropriate administrative safeguards to adequately protect information” at the facility and did not have adequate facility access controls. Both failures violated requirements of the Health Insurance Portability and Accountability Act.

Blue Cross Blue Shield has now agreed to a 450-day corrective action plan to assess and address weaknesses in its HIPAA compliance program, HHS said. The costs of HIPAA violation stretch beyond financial consequences.

Download our White Paper: HIPAA Compliance through Effective Data Protection

The penalty is a result of potential HIPAA violations of patient information rules that resulted from the theft of 57 hard drives from the Blue Cross Blue Shield. The hard drives contained protected health information of over one million customers. This personal information included Full Names, Date of Birth, Social Security number, diagnosis codes and health plan identification numbers.

“This settlement sends an important message that OCR expects health plans and health care providers to have in place a carefully designed, delivered and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez.

BlueCross will also have to review, revise and maintain its privacy and security policies and procedures. They will have to ensure that no future HIPAA violations take place.

Read more on Healthcare Cyber Security