Breach costs Premera Blue Cross $6.85M; second-largest HIPAA fine

By Kyle Brasseur2020-09-28T21:24:00+01:00

No comments

Insurance provider Premera Blue Cross has agreed to pay $6.85 million in a settlement with the U.S. Department of Health and Human Services (HHS) regarding a 2014 data breach that affected the personal and health plan information of over 10.4 million people.

The fine, announced Friday and to be paid to the Office for Civil Rights (OCR) at the HHS, is the second-largest ever for violations of the Health Insurance Portability and Accountability Act (HIPAA) in OCR history. As part of the settlement, Premera agreed to a two-year monitorship and to implement a robust corrective action plan.

According to the HHS’s findings, Premera in May 2014 was the victim of a cyber-attack coordinated by hackers using a phishing email to install malware. The breach went unnoticed until January 2015, and Premera filed a breach report two months later, but the names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information of those more than 10 million people had been left exposed during that nine-month window.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said OCR Director Roger Severino in a press release. “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”

During its investigation, the OCR said it discovered numerous instances of noncompliance with HIPAA rules at Premera, including “failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.” The HHS also noted Premera did not have sufficient security measures or the required software in place to protect customer data as part of its resolution agreement.The corrective action plan Premera agreed to implement focuses on improvements in these areas.

Premera is the largest health plan in the Pacific Northwest, serving more than two million people. The insurer did not admit to HHS’s findings as part of its settlement.

The largest HIPAA-related fine handed down by the HHS remains $16 million, levied against Anthem in 2018 in response to a data breach that exposed the health information of almost 79 million people.

Kyle BrasseurKyle Brasseur is Editor in Chief of Compliance Week. His background includes expertise in user personalization with ESPN.com.

Topics

No comments

Article
Excellus Health Plan fined $5.1M for 2015 data breach
2021-01-20T16:21:00Z
The U.S. Department of Health and Human Services’ Office for Civil Rights fined Excellus Health Plan $5.1 million for failures relating to a 2015 data breach that exposed the personal information of 9.3 million individuals.
Article
GoodRx’s mea culpa: Lessons for internet companies handling personal health data
2020-03-04T21:11:00Z
Telemedicine platform GoodRx has committed to enhancements of its consumer data protection after Consumer Reports called out its sharing practices regarding personal health information.
Article
Credit Suisse money laundering verdict start of new era of Swiss enforcement?
2022-07-01T17:58:00Z
Credit Suisse became the first major Swiss bank to be prosecuted for money laundering in the country after the Federal Criminal Court of Switzerland found the bank guilty of washing money connected to a Bulgarian drug smuggling syndicate.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More Regulatory Enforcement

Article
FINRA fines Barclays $2.8M over supervision, disclosure lapses
2022-07-01T16:36:00Z
Barclays Capital agreed to pay $2.8 million as part of a settlement with the Financial Industry Regulatory Authority for “failure to comply with customer confirmation and related supervision rules” that led to disclosure lapses.
Article
UBS to pay $25M over ‘inadequate’ training, oversight in SEC fraud case
2022-06-30T19:26:00Z
UBS Financial Services agreed to pay approximately $25 million to settle fraud charges brought by the SEC that cited “inadequate” training and supervisory oversight of the firm’s financial advisers regarding a complex options trading strategy.
Article
EY fined record $100M for employee cheating scandal
2022-06-28T16:38:00Z
Ernst & Young will pay $100 million after admitting to SEC charges addressing systematic cheating among its accounting professionals on CPA license exams over four years. The fine is the largest the agency has ever imposed against an audit firm.

Protect your company from cyber risks

Learn from the latest headlines and protect your company today

Breach costs Premera Blue Cross $6.85M; second-largest HIPAA fine

Topics

Related articles

Excellus Health Plan fined $5.1M for 2015 data breach

GoodRx’s mea culpa: Lessons for internet companies handling personal health data

Credit Suisse money laundering verdict start of new era of Swiss enforcement?

No comments yet

Only registered users can comment on this article.

More Regulatory Enforcement

FINRA fines Barclays $2.8M over supervision, disclosure lapses

UBS to pay $25M over ‘inadequate’ training, oversight in SEC fraud case

EY fined record $100M for employee cheating scandal