(Updated with comment at 6 p.m. ET.)
In the first enforcement action stemming from the HITECH Act breach notification rule, Blue Cross and Blue Shield of Tennessee has agreed to pay federal regulators $1.5 million and enter into a corrective action plan after 57 hard drives were stolen from the insurer.
Blue Cross told government authorities that the computer drives contained unencrypted private health information for more than 1 million people, including names, Social Security numbers, dates of birth, diagnosis codes and health plan ID numbers, according to an announcement by HHS' Office for Civil Rights.
The OCR is responsible for enforcing the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996. The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted in 2009, includes a requirement that certain organizations must report instances of impermissible use of private health information or breaches that affect more than 500 people.