Tennessee, USA. 3 years after a leak, the medical association Blue Cross Blue Shield pays $1.5 M for the fulfillment of everything demanded by law by HIPAA.
In October 2009, Blue Cross Blue Shield fell victim to 57 thefts of unencrypted hard disks, on which were stored personal data of nearly a million clients. BCBST tried to eliminate the potential dangers following the compromising of the data: for all victims of the leak, they organized free monitoring for all bank operations for one year.
However, the Ministry of Health and Public Safety determined that the measures undertaken were insufficient, and issued BCBST a fine of $1.5 M. A subdivision of the Ministry that protects human rights also demanded that they tighten political security, provide training for the staff, and introduce specialized systems for protecting the personal information of clients and workers. InfoWatch analytic center comments: Information published on the BCBST site states that the mere implementation of encrypted protection cost the organization $6M.
Head InfoWatch Analyst, Nikolai Fedotov, comments: “This cost of introducing encrypted protection might seem overinflated, since there are licenses for encrypting programs that are much cheaper, and some are free. However, the problem is that the use of such encryption requires additional employee time, so that for each use, there is an organizational registration process, which connects to the allocated key, the matching password, the records, authorization of conflicts, and so on. Employee's time in the west is extremely expensive. The cost of encrypting information is currently proportional to the number of workers. It's expensive for large companies. That's probably the reason why state organizations apply such large fines - so that the culprits don't decide to leave things as they were.”