Breach costs Premera Blue Cross $6.85M; second-largest HIPAA fine

By Kyle Brasseur2020-09-28T21:24:00+01:00

No comments

Insurance provider Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services (HHS) regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.

The fine, announced Friday and to be paid to the Office for Civil Rights (OCR) at the HHS, is the second-largest ever for violations of the Health Insurance Portability and Accountability Act (HIPAA) in OCR history. As part of the settlement, Premera agreed to a two-year monitorship and to implement a robust corrective action plan.

According to the HHS’s findings, Premera in May 2014 was the victim of a cyber-attack coordinated by hackers using a phishing email to install malware. The breach went unnoticed until January 2015, and Premera filed a breach report two months later, but the names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information of those more than 10 million people had been left exposed during that nine-month window.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said OCR Director Roger Severino in a press release. “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”

During its investigation, the OCR said it discovered numerous instances of noncompliance with HIPAA rules at Premera, including “failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.” The HHS also noted Premera did not have sufficient security measures or the required software in place to protect customer data as part of its resolution agreement.The corrective action plan Premera agreed to implement focuses on improvements in these areas.

Premera is the largest health plan in the Pacific Northwest, serving more than two million people. The insurer did not admit to HHS’s findings as part of its settlement.

The largest HIPAA-related fine handed down by the HHS remains $16 million, levied against Anthem in 2018 in response to a data breach that exposed the health information of almost 79 million people.

Kyle BrasseurKyle Brasseur is Editor in Chief of Compliance Week. His background includes expertise in user personalization with ESPN.com.

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact Editor in Chief Kyle Brasseur.

Article
Excellus Health Plan fined $5.1M for 2015 data breach
2021-01-20T16:21:00Z
The U.S. Department of Health and Human Services’ Office for Civil Rights fined Excellus Health Plan $5.1 million for failures relating to a 2015 data breach that exposed the personal information of 9.3 million individuals.
Article
GoodRx’s mea culpa: Lessons for internet companies handling personal health data
2020-03-04T21:11:00Z
Telemedicine platform GoodRx has committed to enhancements of its consumer data protection after Consumer Reports called out its sharing practices regarding personal health information.
Article
Fed details Custodia Bank membership rejection over risk deficiencies
2023-03-24T20:34:00Z
The Federal Reserve Board further expounded on the risk management deficiencies it found at Custodia Bank as part of the digital-first bank’s application to become a member of the Federal Reserve System.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More Regulatory Enforcement

Article
Polite: Look to ABB case for ‘extraordinary cooperation’ example
2023-03-23T20:20:00Z
Compliance officers seeking clarity on what the Department of Justice means by “extraordinary” cooperation or “immediate” self-disclosure should look to the agency’s case history, said Assistant Attorney General Kenneth Polite Jr. during a speech.
Article
Coinbase facing SEC enforcement over potential securities violations
2023-03-23T18:08:00Z
Coinbase said it was served a Wells Notice by the Securities and Exchange Commission for potential violations of securities law regarding multiple of its cryptocurrency products.
Article
Sterling Bank spared fine, to pay $27.2M in restitution under DOJ plea deal
2023-03-16T20:21:00Z
Sterling Bancorp pleaded guilty to falsifying securities statements prior to and following a 2017 initial public offering and will pay approximately $27.2 million in restitution, the Department of Justice announced.

Plan for your TPRM needs and goals

CW’s flagship event returns for its 18th year

Earn CPE credit with Compliance Week

Learn from the latest headlines and protect your company today

Breach costs Premera Blue Cross $6.85M; second-largest HIPAA fine

Topics

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact Editor in Chief Kyle Brasseur. googletag.cmd.push(function() { googletag.display('div-gpt-ad-B'); });

Related articles

Excellus Health Plan fined $5.1M for 2015 data breach

GoodRx’s mea culpa: Lessons for internet companies handling personal health data

Fed details Custodia Bank membership rejection over risk deficiencies

No comments yet

Only registered users can comment on this article.

More Regulatory Enforcement

Polite: Look to ABB case for ‘extraordinary cooperation’ example

Coinbase facing SEC enforcement over potential securities violations

Sterling Bank spared fine, to pay $27.2M in restitution under DOJ plea deal

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact Editor in Chief Kyle Brasseur.