The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a $6.85 million HIPAA penalty on Premera Blue Cross to take care of the HIPAA violations found during its investigation of a 2014 data breach concerning the electronic protected health information (ePHI) of 10.4 million people.
Premera Blue Cross based in Mountain lake Terrace, WA is the biggest health plan around the Pacific Northwest and caters to more than 2 million persons in Alaska and Washington. In May 2014, a sophisticated persistent threat group obtained access to Premera’s computer network and stayed undiscovered for more or less 9 months. The hackers attacked the health plan with a spear-phishing email that downloaded malware. The malware allowed the APT group to access ePHI including names, birth dates, addresses, email addresses, bank account data, Social Security numbers, and health plan clinical details.
Premera Blue Cross discovered the breach in January 2015 and informed OCR regarding the breach in March 2015. OCR started an investigation and found “systemic non-compliance” with the HIPAA guidelines.
OCR established that Premera Blue Cross was unable to:
- Perform an extensive and accurate risk analysis to determine all risks to the integrity, availability, and confidentiality of ePHI.
- Minimize risks and vulnerabilities to ePHI to a fair and proper level.
- Apply enough hardware, software program, and procedural elements to capture and evaluate activity associated with information systems made up of ePHI, before March 8, 2015.
- Stop unauthorized access to the electronic PHI of 10,466,692 persons.
Because of the nature of the HIPAA violations and the magnitude of the breach, OCR decided that a financial fine was necessary. Premera Blue Cross consented to resolve the HIPAA violation case without admission of liability. Besides the financial penalty, Premera Blue Cross accepted to undertake a solid corrective action plan to deal with all areas of non-compliance identified throughout the OCR investigation. Premera Blue Cross will be under direct monitoring by OCR for two years to make sure of its adherence to the CAP.
Roger Severino, OCR Director, stated that when top medical insurance entities fail to spend the time and effort to determine their security weaknesses, be they techie or human, hackers certainly will. This scenario strongly shows the harm that results when cybercriminals are permitted to roam undiscovered in a computer system for almost nine months.
In 2019, Premera Blue Cross consented to resolve a $10 million HIPAA violation legal case due to the breach. 30 state attorneys general had reviewed the health plan and determined that Premera Blue Cross failed to satisfy its responsibilities under HIPAA and Washington’s Consumer Protection Act. Premera Blue Cross additionally consented to pay a $74 million lawsuit filed by people whose ePHI was compromised in the breach.
The latest penalty is OCR’s second-biggest HIPAA penalty issued on a covered entity or business associate in relation to HIPAA violations. The highest financial penalty is the $16 million charged on Anthem Inc. because of a 2015 data breach concerning the ePHI of 79 million persons.
The HIPAA penalty is the 11th penalty to be published by OCR in 2020. It is the 8th to be reported this September. To date in 2020, OCR got paid $10,786,500 to settle HIPAA violations identified during data breach and HIPAA complaints investigations.