Health Insurer Pays $6.85 Million in Second Largest HIPAA Settlement
In the second largest settlement related to a violation of the HIPAA privacy and security rules, Premera Blue Cross will pay $6.85 million over a data breach that exposed the protected health information (PHI) of 10 million people. The settlement stems from a cyberattack that gained unauthorized access to the health insurer’s information technology system. The hacker breached the system in May 2015 through a phishing email that installed malware, but the breach was not discovered until nearly nine months later. The hacker had access to individuals’ information such as named, addresses, birth dates, Social Security numbers, and bank accounts, along with their medical information.
The Office of Civil Rights (OCR), the office within the Department of Health and Human Services that enforces HIPAA privacy provisions, found systemic noncompliance with HIPAA requirements, including a failure to conduct risk analyses, implement risk management, and institute audit controls. Prior to the breach, cybersecurity experts and Premera Blue Cross’s own auditors warned of vulnerabilities in the system, but the company failed to correct the problems. In addition to the financial settlements, Premera Blue Cross will be required to institute a corrective action plan, which includes two years of monitoring.