Introduction
According to a press release from the HHS, the investigation was started after BCBST submitted a notice that reported that about 57 unencrypted computers hard drives had been stolen from its Tennessee facility. The disks contained vital client information that includes voice records of customer service telephone calls. The data that was contained in the stolen hard disks contains social security numbers, member's names, diagnosis codes, health identification numbers and dates of birth. Such information is critical and can be put to several uses by the people that got the information.
The BCBST was charged for failing to implement the appropriate administrative safeguards that would ensure that the data is adequately protected. The firm had the responsibility of ensuring that the data was adequately safeguarded in the leased facility. The failure of the institution is that it did not conduct adequate security evaluation in regards to the operation changes (Tovino 2018). Besides, the system received an alert that notified it that the server was unresponsive, but it failed to disclose BCBST that there might be an issue of theft. In this case, it emerged that the system that the firm had used were not sensitive enough to respond to any incidences of theft. There was a failure in the entire system since it did not provide any notification that could have put the authorities into action.
Summary of the Facts
Data stored in 57 hard disks in a leased facility was stolen. Secondly, the health plan had failed to implement the appropriate administrative safeguards that would have safeguarded the data. There was also no adequate physical safeguard since the facility did not have access controls. The physical and security evaluation are both requirements under the HIPAA security.
Corrective Measures
To deal with the challenges that had emerged after the cases, the facility was required to make critical changes.
The first thing that it was required was to design and implement policies and procedures that focus on the aspects of risk management and risk assessments. They were also required to develop adequate facility access control that would ensure that access to the facility is not granted to everyone (Tovino 2018). Besides, they were required for developing the right physical safeguards that govern the storage of electronic media.
They are also required to contact regular training of all the employees that have access to the ePHI. The focus is to ensure that each individual is well aware of the security measures that they need to adhere to to ensure that the data is secured,
They were also required to conduct reviews that should be under the firm's chief privacy officer. The monitoring is focused on assessing all the staff members and the electronic media storage and portable devices that house the ePHI (Tovino 2018). The focus is to ensure that everyone adheres to the required training procedures and policies.
Lastly, the organization was required to monitor every unannounced visit to the facility that houses the portable devices. The focus of these efforts is to ensure that there is no other case that might lead to the breach of privacy of the patient's data. Today, data is fundamental and once accessing such vital information could lead to considerable risk to the patients.
Monetary Penalties
The BCBST did not incur any financial penalties. However, if the firm does not fulfil the requirements as provided by the CAP, then they would bear the penalties. The enforcement actions seek to give the organization the chance to make a change to its security subsystem by ensuring that the data that they keep on their clients is secure.
The Fairness of the Fine
The firm was required to pay $1.5milliion as a penalty for failing to offer secure storage of the data. These would seem like a fair amount that can probably push the institutions into taking a keen interest in keeping the data safe. Already, there was a regulation in place that requires such an organization to take the necessary measures to follow the HIPAA security policies (Rutherford 2016). Therefore, the failure of the organization should not be an issue that authorities can take that easily. The penalties thus are fair. However, one would seek to wonder whether the amount goes into the individuals whose data was stolen. There is a concern about what happens to the stolen data. Do the authorities take any steps that seek to trace the data or ensure that it cannot be used for any selfish means? The increases in cases of online fraud may put the individual that lost the information into jeopardy. Perhaps there is a need to try and focus on this issue.
The penalty was the first that resulted from the breach report initiated by the Health Information Technology for Economic and Clinical Health (HITECH) act. The act set the stage for the government to pursue data bridges on PHI and take severe measures that include fines and corrective actions. Healthcare facility and other organizations are thus required to make a formal approach in dealing with the security of data. They should also show that they have taken diligent measures to deal with many issues that regard to the physical security issues of the PHI. Besides, they are requiring developing administrative tools and technical safeguards in the place of data storage.
References
Rutherford, A. (2016). Byrne: Closing the Gap Between HIPAA and Patient Privacy. San Diego L. Rev., 53, 201.
Tovino, S. A. (2018). A Timely Right to Privacy. Iowa L. Rev., 104, 1361.
Cite this page
Research Paper on HHS Investigation of BCBST Hard Drive Theft Reveals Data Breach. (2023, Feb 17). Retrieved from https://proessays.net/essays/research-paper-on-hhs-investigation-of-bcbst-hard-drive-theft-reveals-data-breach
If you are the original author of this essay and no longer wish to have it published on the ProEssays website, please click below to request its removal:
- Network Architecture Overview for the Bank. Thesis Example.
- Electronic Health System Records Paper Example
- Five Challenges That Arise While Virtualization to Store Data Paper Example
- Essay Sample on Internet as Research Tool
- Essay Sample on Acme Inc. Migration to Cloud Database
- Security Protection Plan for Executives Essay Example
- Essay Sample on Recent Cyber Attack at Wolverine Solutions Group (WSG)