BlueCross BlueShield of Tennessee, Inc., agreed to pay $1.5 million to the U.S. Department of Health and Human Services for an alleged data security breach in the first enforcement action stemming from the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in early 2009.

Beth Moskow-Schnoll, Practice Leader of Ballard Spahr’s privacy and data security practice, said that although Blue Cross should have done a better job of safeguarding the information it had, the company reacted appropriately after discovering the theft.

“They determined that there had been a breach and then they reported it,” Ms. Moskow-Schnoll said, adding that “the only reason that HHS launched an investigation was because (BlueCross) followed the law and reported the breach, as they had to.”