Premera Blue Cross Settles HIPAA Case for $10 Million

Premera Blue Cross has agreed to settle its HIPAA violation lawsuit and pay a $10 million penalty to resolve the case.

In early 2015, Premera Blue Cross discovered its systems had been accessed by an unauthorized individual who potentially gained access to the records of 10.4 million health plan members. Until the recently announced data breach at American Medical Collection Agency (AMCA), the Premera Blue Cross data breach was the third largest healthcare data breach to ever be reported. Victims of the breach were spread all across the United States.

30 state attorneys general participated in a multi-state HIPAA lawsuit after it was discovered that basic security failures at Premera opened the door to hackers. The failure to fix a known vulnerability allowed a hacker to gain access to its network and plan members’ data.

The coalition of attorneys general was led by Washington State AG Bob Ferguson. Announcing the settlement, Ferguson explained that the hacker had access to Premera Blue Cross systems for a year before the breach was discovered.

Premera Blue Cross had previously been warned by cybersecurity experts that it had serious deficiencies in its security program, but the company failed to correct the vulnerabilities. That failure resulted in the data breach.

Under the terms of the settlement, in addition to paying the $10 million penalty, Premera must improve its security posture and ensure that the personal health information of its members is properly protected.

Premera must conduct regular security audits to assess its security controls and ensure that they still provide sufficient protection. A third-party security expert who has been approved by the coalition must compile and prepare security reports and inform the coalition on the findings.

A CISO must be hired whose responsibilities will include ensuring compliance with HIPAA and implementing and maintaining the company’s security program. The CISO must meet regularly with executive management and must inform the CEO every two months of any unauthorized intrusion into the Premera network.

This is the second multi-state HIPAA enforcement action to be taken against a HIPAA-covered entity. Earlier this year, a multi-state action was settled by Medical Informatics Engineering over its 2015 data breach. MIE was fined $900,000.