The HHS’ Office for Civil Rights (OCR) has imposed its second largest ever HIPAA violation penalty – $6.85 million – on Premera Blue Cross to resolve potential violations of the Health Insurance Portability and Accountability Act Rules discovered during the investigation of a massive 2014 data breach.
Premera Blue Cross is the largest health plan in the Pacific Northwest serving more than 2 million people in Washington and Alaska. Hackers targeted the health insurer in May 2014 and installed malware on its systems via a phishing email. The malware gave the attackers access to electronic protected health information (ePHI) on Premera Blue Cross’s systems, including names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. Premera Blue Cross discovered the malware in January 2015, almost 9 months after it had been downloaded onto its systems. The malware gave the advanced persistent threat group access to the ePHI of 10.4 million individuals.
OCR was notified about the breach in March 2015 and launched an investigation to determine whether the breach could have been prevented and whether HIPAA Rules had been violated. OCR’s investigators found systemic noncompliance with the HIPAA Rules.
Premera Blue Cross had failed to conduct an accurate and thorough risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI, and risks and vulnerabilities to ePHI had not been reduced to a reasonable and appropriate level.
Prior to March 8, 2015, Premera Blue Cross had not implemented sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems that contain ePHI. As a result of compliance failures, Premera Blue Cross failed to prevent unauthorized access to the ePHI of 10,466,692 individuals.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.
In addition to the financial penalty, Premera Blue Cross has adopted a robust corrective action plan to address the vulnerabilities and has worked closely with OCR since 2015 to ensure HIPAA compliance.
“We are pleased to have reached an agreement with the federal Office for Civil Rights to resolve legal inquiries into the 2014 cyberattack on our data network,” said Premera Blue Cross in a statement. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information.”
In addition to the $6.85 million OCR HIPAA fine, Premera Blue Cross settled a $10 million lawsuit with 30 states in July 2019 and a $74 million federal class action lawsuit filed on behalf of victims of the breach.