Blue Cross said there was no indication that any of the data has been misused. The company has spent $17 million on its investigation, notification and protection efforts following the thefts, including voluntarily encrypting all of its “at rest” data.
“Since the theft, we have worked diligently to restore the trust of our members by demonstrating our full commitment to limiting their risks from this misdeed and making significant investments to ensure their information is safe at all times,” Tena Roberson, deputy general counsel and chief privacy officer for the Tennessee Blues, said in the release.
The Health Information Technology for Economic and Clinical Health Act, enacted in 2009 as part of the American Recovery and Reinvestment Act, includes a requirement that certain organizations must report instances of impermissible use of private health information or breaches that affect more than 500 people to regulators and news media.
After its investigation, the Office for Civil Rights concluded that Blue Cross had violated health-privacy laws in two ways: by failing to perform a required security evaluation in response to an operational change, and by failing to implement physical safeguards such as adequate facility access controls, according to a news release from the Office for Civil Rights.
Dr. Deborah Peel, founder and chairwoman of the Patient Privacy Rights Foundation in Austin, Texas, said the Office for Civil Rights' financial settlement and corrective action plan disregard the harm to victims. The agreement could have required the company to provide identity-theft monitoring services, for example, because many cases of medical identity theft take years to materialize, she said.