Premera Blue Cross Pays $6.85 Million to Settle Data Breach Affecting 10.4 Million People
Premera Blue Cross, based in Mountlake Terrace, Wash., has agreed to pay $6.85 million to the U.S. Department of Health & Human Services Office for Civil Rights related to a 2015 breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history, after the Anthem Inc. settlement of $16 million for a breach that affected almost 79 million people.
Premera operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than 2 million people. On March 17, 2015, it filed a breach report on behalf of itself and its network of affiliates stating that hackers used a phishing e-mail to install malware that gave them access to Premera’s IT system in May 2014, which went undetected for nearly nine months until January 2015. This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.
OCR’s investigation found systemic noncompliance with HIPAA rules, including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management and audit controls.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR director, in a statement.
In addition to the monetary settlement, PBC has agreed to a robust corrective action plan that includes two years of monitoring.
OCR recently announced five smaller enforcement actions in its Right of Access Initiative and a $2.3 million settlement with CHSPSC LLC, which provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems Inc., in Franklin, Tenn.
In another recently announced settlement, Athens Orthopedic Clinic PA in Georgia has agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential HIPAA violations.
On June 26, 2016, a journalist notified Athens Orthopedic that a database of their patient records may have been posted online for sale. On June 28, 2016, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the database it stole. Athens Orthopedic subsequently determined that the hacker used a vendor's credentials on June 14, 2016, to access their electronic medical record system and exfiltrate patient health data. The hacker continued to access protected health information (PHI) for over a month until July 16, 2016.
On July 29, 2016, Athens Orthopedic filed a breach report informing OCR that 208,557 individuals were affected by this breach, and that the PHI disclosed included patients' names, dates of birth, social security numbers, medical procedures, test results, and health insurance information.
OCR's investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules by Athens Orthopedic including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.