Premera Blue Cross has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve possible violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
Premera Blue Cross is an independent licensee of the Blue Cross Blue Shield Association. It is the “largest health plan in the Pacific Northwest” and serves more than two million people in Alaska and Washington.
The settlement results from a 2014 cyber-attack that lasted almost nine months and affected more than 10.4 million people. It is the second largest payment to resolve a HIPAA investigation in OCR history.
In 2014, cyber attackers utilized a phishing email to install malware in Premera Blue Cross’s information technology system. The hackers remained undetected for nearly nine months. During this time protected health information was exposed including “names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.”
HHS’ investigation found numerous potential violations. Notably that Premera Blue Cross potentially failed to prevent unauthorized access to the electronic protected health information (ePHI) maintained in its network. It is also possible that Premera Blue Cross did not conduct a risk and vulnerability assessment of its ePHI and failed to implement sufficient security measures.
In addition to the financial agreement, Premera Blue Cross will also implement a corrective action plan. The corrective action plan includes two years of monitoring. Under the corrective action plan, Premera Blue Cross will conduct a risk analysis and develop and implement a risk management plan.
OCR Director Roger Severino said of the settlement, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will.”
Severino continued, “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”
