Research Paper on HHS Investigation of BCBST Hard Drive Theft Reveals Data Breach

Introduction

According to a press release from the HHS, the investigation was started after BCBST submitted a notice that reported that about 57 unencrypted computers hard drives had been stolen from its Tennessee facility. The disks contained vital client information that includes voice records of customer service telephone calls. The data that was contained in the stolen hard disks contains social security numbers, member's names, diagnosis codes, health identification numbers and dates of birth. Such information is critical and can be put to several uses by the people that got the information.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

The BCBST was charged for failing to implement the appropriate administrative safeguards that would ensure that the data is adequately protected. The firm had the responsibility of ensuring that the data was adequately safeguarded in the leased facility. The failure of the institution is that it did not conduct adequate security evaluation in regards to the operation changes (Tovino 2018). Besides, the system received an alert that notified it that the server was unresponsive, but it failed to disclose BCBST that there might be an issue of theft. In this case, it emerged that the system that the firm had used were not sensitive enough to respond to any incidences of theft. There was a failure in the entire system since it did not provide any notification that could have put the authorities into action.

Summary of the Facts

Data stored in 57 hard disks in a leased facility was stolen. Secondly, the health plan had failed to implement the appropriate administrative safeguards that would have safeguarded the data. There was also no adequate physical safeguard since the facility did not have access controls. The physical and security evaluation are both requirements under the HIPAA security.

Corrective Measures

To deal with the challenges that had emerged after the cases, the facility was required to make critical changes.

The first thing that it was required was to design and implement policies and procedures that focus on the aspects of risk management and risk assessments. They were also required to develop adequate facility access control that would ensure that access to the facility is not granted to everyone (Tovino 2018). Besides, they were required for developing the right physical safeguards that govern the storage of electronic media.

They are also required to contact regular training of all the employees that have access to the ePHI. The focus is to ensure that each individual is well aware of the security measures that they need to adhere to to ensure that the data is secured,

They were also required to conduct reviews that should be under the firm's chief privacy officer. The monitoring is focused on assessing all the staff members and the electronic media storage and portable devices that house the ePHI (Tovino 2018). The focus is to ensure that everyone adheres to the required training procedures and policies.

Lastly, the organization was required to monitor every unannounced visit to the facility that houses the portable devices. The focus of these efforts is to ensure that there is no other case that might lead to the breach of privacy of the patient's data. Today, data is fundamental and once accessing such vital information could lead to considerable risk to the patients.

Monetary Penalties

The BCBST did not incur any financial penalties. However, if the firm does not fulfil the requirements as provided by the CAP, then they would bear the penalties. The enforcement actions seek to give the organization the chance to make a change to its security subsystem by ensuring that the data that they keep on their clients is secure.

The Fairness of the Fine

The firm was required to pay $1.5milliion as a penalty for failing to offer secure storage of the data. These would seem like a fair amount that can probably push the institutions into taking a keen interest in keeping the data safe. Already, there was a regulation in place that requires such an organization to take the necessary measures to follow the HIPAA security policies (Rutherford 2016). Therefore, the failure of the organization should not be an issue that authorities can take that easily. The penalties thus are fair. However, one would seek to wonder whether the amount goes into the individuals whose data was stolen. There is a concern about what happens to the stolen data. Do the authorities take any steps that seek to trace the data or ensure that it cannot be used for any selfish means? The increases in cases of online fraud may put the individual that lost the information into jeopardy. Perhaps there is a need to try and focus on this issue.

The penalty was the first that resulted from the breach report initiated by the Health Information Technology for Economic and Clinical Health (HITECH) act. The act set the stage for the government to pursue data bridges on PHI and take severe measures that include fines and corrective actions. Healthcare facility and other organizations are thus required to make a formal approach in dealing with the security of data. They should also show that they have taken diligent measures to deal with many issues that regard to the physical security issues of the PHI. Besides, they are requiring developing administrative tools and technical safeguards in the place of data storage.

References

Rutherford, A. (2016). Byrne: Closing the Gap Between HIPAA and Patient Privacy. San Diego L. Rev., 53, 201.

Tovino, S. A. (2018). A Timely Right to Privacy. Iowa L. Rev., 104, 1361.