Insurer to pay additional $1.5 million for 2009 breach-related violations

http://en.wikipedia.org/wiki/Blue_Cross_Blue_Shield_Association

A 2009 data breach that has already cost BlueCross BlueShield nearly $17 million has just gotten a little bit more expensive.

In a further settlement unveiled today, the insurer agreed to pay $1.5 million to the US Department of Health and Human Services (HHS) and also review and revise its privacy and security policies in addition to regularly training employees on their responsibility under the HIPAA of 1996.

The notification rules require all entities to notify affected individuals of any breach involving their health information. It also requires them to notify the HHS and the media in cases where the breach affects more than 500 people. 

Today's settlement stems from an October 2009 breach in which an unidentified intruder compromised data that included about 600,000 audio recordings of customer support calls and over 300,000 screenshots showing what call centre staff had on their computer screen when they were handling these calls.