The Department of Health and Human Services’ Office for Civil Rights (OCR) has required a $6.85 million HIPAA fine on Premera Blue Cross to settle the HIPAA violations uncovered during its investigation of a 2014 data breach regarding the electronic protected health information (ePHI) of 10.4 million people.
Premera Blue Cross in Mountainlake Terrace, WA is the major health plan within the Pacific Northwest and serves over 2 million people in Washington and Alaska. In May 2014, a state-of-the-art persistent threat group acquired access to Premera’s computer network and continued to be undetected for about 9 months. The hackers sent the health plan with a spear-phishing email that deployed malware. The malware enabled the APT group to access ePHI that include names, dates of birth, addresses, email addresses, Social Security numbers, bank account details, and health plan clinical data.
Premera Blue Cross uncovered the breach in January 2015 and notified OCR concerning the breach in March 2015. OCR began an investigation and found “systemic non-compliance” with the HIPAA regulations.
OCR learned that Premera Blue Cross was not able to:
- Carry out a thorough and accurate risk analysis to find all risks to the integrity, confidentiality, and availability of ePHI.
- Lessen risks and vulnerabilities to ePHI to a good and ideal level.
- Use adequate hardware, software application, and procedural systems to log and examine activity relating to information systems that contain ePHI, prior to March 8, 2015.
- Block unauthorized access to the ePHI of 10,466,692 persons.
Considering the nature of the HIPAA violations and the severity of the breach, OCR determined that a financial fine was just right. Premera Blue Cross resolved the HIPAA violation case with no liability admission. Aside from paying the HIPAA violation penalty, Premera Blue Cross consented to execute a corrective action plan to take care of all areas of non-compliance identified by OCR. Premera Blue Cross will be under close supervision by OCR for two years to make certain of its compliance with the CAP.
Roger Severino, OCR Director, said that in case big health insurance entities do not devote the time and effort to recognize their security vulnerabilities, be they technical or human, hackers definitely will. This situation clearly reflects the problems that result when attackers are granted to roam unnoticed in a computer system for approximately nine months.
Last year, Premera Blue Cross accepted to pay a $10 million HIPAA violation legal action due to the breach. 30 state attorneys general had reviewed the health plan and established that Premera Blue Cross failed to meet its requirements under Washington’s Consumer Protection Act and HIPAA. Premera Blue Cross furthermore agreed to resolve a $74 million lawsuit filed by people whose ePHI was disclosed in the breach.
The latest penalty is OCR’s second greatest HIPAA penalty required of a covered entity or business associate in connection to HIPAA violations. The biggest financial penalty is the $16 million imposed on Anthem Inc. because of a 2015 data breach that involved the ePHI of 79 million persons.
The fine is the 11th penalty to be reported by OCR in 2020. It is the 8th to be published this month. Thus far in 2020, OCR received $10,786,500 to resolve HIPAA violations uncovered during investigations of security breaches and HIPAA complaints.