A health insurance company in Washington state has been slapped with the second-largest ever HIPAA violation penalty.
The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85m penalty on Premera Blue Cross to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Premera Blue Cross is a not-for-profit Blue Cross Blue Shield licensed health insurance company based in Mountlake Terrace. In 2014, the company suffered a data breach that impacted the protected health information (PHI) of 10.4 million people.
An advanced persistent threat (APT) group successfully used a spear-phishing attack to gain access to Premera’s computer system. Over the course of nine months, the group accessed data including names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information of Premera customers.
Attackers compromised Premera in May 2014, but their activities were not discovered by the company until January 2015. The OCR was notified of the data breach two months later.
After investigating the security incident, the OCR identified “systemic noncompliance” with the HIPAA Rules by Premera Blue Cross.
Failings identified by investigators included neglecting to conduct a comprehensive and accurate risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI and not taking steps to reduce risks and vulnerabilities to electronic PHI to a reasonable and appropriate level.
Premera was further found to have failed to implement sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems containing ePHI, prior to March 8, 2015.
Premera has agreed to pay $6.85m and implement a “robust corrective action plan” that includes two years of monitoring. Under the agreement, the company must set up a risk-analysis plan and review it at least once a year.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said Roger Severino, OCR director.
“This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”