Blue Cross Blue Shield of Tennessee (BCBST) has become the first company in the nation to settle over a medical data security breach, agreeing to pay $1.5 million to the Department of Health and Human Services (HHS).

The settlement stems from new security breach rules and fines imposed by 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act.

Blue Cross Blue Shield was under fire for the loss of 57 unencrypted hard drives stolen from a no-longer-in-use storage facility. The hard drives contained recordings of customer service phone calls, but there was no evidence that the data was ever misused. (The drives contained the protected health information ((PHI)) of more than 1 million individuals, including member names, social security numbers, diagnosis codes, dates of birth, and health plan identification numbers.)

HHS implemented a breach notification Web site in early 2010, and the site averages 17 new breach notifications each month. Under HITECH, companies must immediately notify HHS of breaches covering 500 or more individuals as well as report them to the media. Smaller breaches can be reported to HHS on an annual basis.

“This settlement sends an important message that OCR [the HHS Office for Civil Rights] expects health plans and health care providers to have in place a carefully designed, delivered, and monitored HIPAA compliance program,” said OCR Director Leon Rodriguez. “The HITECH Breach Notification Rule is an important enforcement tool and OCR will continue to vigorously protect patients’ right to private and secure health information.”

In addition to the $1.5-million settlement, the agreement requires BCBST to review, revise, and maintain its privacy and security policies and procedures, to conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and to perform monitor reviews to ensure BCBST compliance with the corrective action plan.