Insurance provider Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services (HHS) regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.

The fine, announced Friday and to be paid to the Office for Civil Rights (OCR) at the HHS, is the second-largest ever for violations of the Health Insurance Portability and Accountability Act (HIPAA) in OCR history. As part of the settlement, Premera agreed to a two-year monitorship and to implement a robust corrective action plan.

According to the HHS’s findings, Premera in May 2014 was the victim of a cyber-attack coordinated by hackers using a phishing email to install malware. The breach went unnoticed until January 2015, and Premera filed a breach report two months later, but the names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information of those more than 10 million people had been left exposed during that nine-month window.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said OCR Director Roger Severino in a press release. “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”

During its investigation, the OCR said it discovered numerous instances of noncompliance with HIPAA rules at Premera, including “failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.” The HHS also noted Premera did not have sufficient security measures or the required software in place to protect customer data as part of its resolution agreement.The corrective action plan Premera agreed to implement focuses on improvements in these areas.

Premera is the largest health plan in the Pacific Northwest, serving more than two million people. The insurer did not admit to HHS’s findings as part of its settlement.

The largest HIPAA-related fine handed down by the HHS remains $16 million, levied against Anthem in 2018 in response to a data breach that exposed the health information of almost 79 million people.

Kyle Brasseur is managing editor for Compliance Week, leading the day-to-day web-related tasks of the editorial team while also handling social media and user analytics.

Topics