[BreachExchange] Premera Blue Cross pays 2nd-largest HIPAA fine for 2014 breach

Mon Sep 28 10:29:50 EDT 2020

https://www.fiercehealthcare.com/tech/premera-blue-cross-to-pay-6-9m-to-hhs-for-2014-data-breach

Premera Blue Cross will pay $6.9 million in a settlement with the
Trump administration over a data breach that exposed confidential
information on more than 10 million people across the country.

The insurer operates in Washington and Alaska and is the largest
health plan in the Pacific Northwest, serving more than 2 million
people.

The settlement with the Office for Civil Rights (OCR) at the U.S.
Department of Health and Human Services (HHS) marks the second-largest
payment to resolve a Health Insurance Portability and Accountability
Act (HIPAA) violation in the agency's history, according to an HHS
press release.

Two years ago, Anthem paid a record $16 million for a landmark 2015
breach that impacted nearly 79 million consumers.

Premera filed a breach report on March 17, 2015, on behalf of itself
and its network of affiliates stating that cyberattackers had gained
unauthorized access to its information technology system.

During the breach, which went undetected for nearly nine months from
May 2014 to January 2015, a hacker had unauthorized access to the
Premera network containing 10.4 million individuals' protected health
information including their names, addresses, dates of birth, email
addresses, Social Security numbers, bank account information and
health plan clinical information, according to HHS.

The hackers used a phishing email to install malware that gave them
access to Premera's IT system.

OCR’s investigation found systemic noncompliance with the HIPAA rules
including failure to conduct an enterprisewide risk analysis and
failures to implement risk management and audit controls, HHS said.

“If large health insurance entities don’t invest the time and effort
to identify their security vulnerabilities, be they technical or
human, hackers surely will. This case vividly demonstrates the damage
that results when hackers are allowed to roam undetected in a computer
system for nearly nine months,” said Roger Severino, OCR director, in
a statement.

Premera also agreed to implement a corrective action plan (PDF) that
includes two years of monitoring.

The insurer settled a $10 million lawsuit with 30 states in July 2019
over the 2014 breach.

Washington state Attorney General Bob Ferguson led a coalition of 30
state attorneys general investigating the company’s practices
following the 2014 health data breach that affected 10.4 million
individuals nationwide and 6.4 million Washington state residents.

In 2019 Premera also settled a federal class-action lawsuit for $74
million on behalf of affected customers of the breach.

For years prior to the breach, cybersecurity experts and the company’s
own auditors repeatedly warned Premera about the vulnerabilities
within its system including inadequate patching management but the
company failed to fix the problems, according to Washington state's
complaint against Premera filed after the breach.