Premera Blue Cross to pay second-largest HIPAA fine to OCR

Premera Blue Cross has agreed to pay HHS’ Office for Civil Rights $6.85 million, the second-largest fine resolving alleged HIPAA violations in OCR’s history, the agency said Friday.

OCR imposed the fine on the Mountlake Terrace, Wash.-based health insurer to settle alleged HIPAA violations linked to a 2014 data breach that compromised data on 10.4 million people.

Hackers in May 2014 targeted Premera Blue Cross with a phishing email that installed malware on the insurer’s information system, giving the hackers access to some of the company’s data. That access went undetected for nearly nine months, until January 2015, according to OCR.

Premera Blue Cross filed a report with the agency detailing in the incident in March 2015.

The undetected cyberattack exposed protected health information on more than 10.4 million people, including names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and clinical information.

During an investigation, OCR officials said they found “systemic noncompliance with the HIPAA rules,” such as alleged failures to implement risk management and audit controls, as well as to conduct risk analyses.

“This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said OCR Director Roger Severino in a statement. “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will.”

In addition to the monetary settlement, Premera Blue Cross will implement a corrective action plan that includes HHS monitoring the insurer’s compliance with HIPAA for two years.

Premera Blue Cross did not immediately respond to a request for comment.

The largest HIPAA settlement reached by OCR to date is a $16 million fine paid by Anthem in 2018, resolving a massive 2015 data breach that hit nearly 79 million people.


Liked Liked