Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response
Premera Blue Cross Slapped With $6.8 Million HIPAA Fine
Penalty Is Second Largest Ever IssuedPremera Blue Cross has agreed to pay a $6.85 million fine, the second largest HIPAA settlement ever announced by federal regulators. The case stems from a 2014 breach, which went undetected for nine months and exposed the information of 10.4 million individuals.
See Also: Gartner Guide for Digital Forensics and Incident Response
In a Friday statement, the Department of Health and Human Services’ Office for Civil Rights says its investigation into the Premera breach, which was reported in March 2015, found “systemic noncompliance” with the HIPAA rules, including failure to conduct an enterprisewide risk analysis and implement risk management as well as audit controls.
In 2019, Premera reached a $74 million settlement of a consolidated class action lawsuit tied to the breach as well as a $10 million HIPAA settlement with the attorneys general of 30 states.
OCR's Premera settlement "is another example showing the risk when organizations do not invest in technologies that perform information system-activity audit and review," says privacy attorney David Holtzman of the consulting firm HITprivacy, who is a former senior adviser at OCR.
Other Recent Settlements
The resolution agreement signed with Premera is the eighth HIPAA settlement that OCR has announced in the last two weeks.
Two other breach settlements revealed this week involved hacking incidents, and five smaller cases focused on patients’ right to access their records (see Fines Tied to Failure to Provide Patients Records).
On Wednesday, OCR announced a $2.3 million settlement with Tennessee-based CHSPSC LLC, a unit of Community Health Systems Inc. for a 2014 hacking incident affecting 6.1 million individuals.
On Monday, OCR announced a $1.5 million settlement with Georgia-based Athens Orthopedic Clinic for a 2016 incident involving The Dark Overlord hacking group that impacted 209,000 individuals.
Among the Largest Fines Ever
The Premera settlement is the second largest HIPAA settlement ever issued by OCR. The biggest was a $16 million settlement in 2018 with another health insurer, Anthem, after a hacking incident that compromised the protected health information of nearly 79 million individuals.
Former OCR senior adviser Iliana Peters, a privacy attorney at the law firm Polsinelli, notes that that while OCR’s breach investigations and settlement negotiations generally take a long time, she suspects that the agency is attempting to resolve these high-impact cases before the end of the federal fiscal year on Sept. 30.
Under the HITECH Act, OCR can apply the financial penalties it collects to its future enforcement efforts.
“Just because we are nearing the end of the federal government’s fiscal year does not mean we won’t see additional settlements in the coming months as well,” Peters adds.
Premera Breach Details
Premera is the largest health insurer in the Pacific Northwest, serving more than 2 million people in Washington and Alaska, OCR notes.
On March 17, 2015, Premera filed a breach report stating that cyberattackers had gained unauthorized access to its information technology system.
“The hackers used a phishing email to install malware that gave them access to Premera’s IT system in May 2014, which went undetected for nearly nine months until January 2015,” OCR says.
This undetected advanced persistent threat resulted in the disclosure of more than 10.4 million individuals’ PHI, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and health plan clinical information, OCR says.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” says Roger Severino, OCR director. “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”
Corrective Action Plan
The resolution agreement with Premera includes a corrective action plan that requires the insurer to:
- Conduct an analysis of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information;
- Develop an enterprisewide risk management plan to mitigate security risks and vulnerabilities;
- Review, develop, maintain and revise written privacy and security policies and procedures and distribute them to the workforce.
In a statement provided to Information Security Media Group, the insurer says: “Premera takes the security of its data and the personal information of its customers seriously and has worked cooperatively with the OCR since the attack was made public in 2015. It is important to note that independent investigators have made no determination that any customer information was removed from Premera’s systems. Premera continues to enhance its cybersecurity programs and practices, achieving an industry-leading HITRUST certification in 2018.”
Lessons to Learn
Almost every OCR enforcement action involving a breach of PHI can be traced back to the HIPAA covered entity or business associate failing to implement a risk management plan that includes continuous assessment and response to constantly evolving threats and vulnerabilities, Holtzman notes.
"The HIPAA Security Rule requires covered entities and business associates to implement technical safeguards for monitoring access and alerting organizations to inappropriate activity and identifying potential threats in the network," he says.
Peters also stresses that OCR’s settlement with Premera highlights the lack of an enterprisewide HIPAA risk analysis and risk management plan. “These are the potential violations about which OCR has assessed the most settlements and penalties and represent the most legal risk for HIPAA covered entities and business associates,” she adds.
Many covered entities and business associate still have not completed a risk analysis as required by the HIPAA Security Rule, Peters says.
”The potential violations included in this settlement are very straightforward, from a compliance perspective: First, an entity must assess its risk to its data enterprisewide. Second, the entity must implement reasonable and appropriate controls to manage the risks. And third, the entity must detect and respond to security incidents when they occur.”