Health Insurer Pays Second Largest HIPAA Fine After Breach Exposes 10.4 Million Records

September 25, 2020

The Office for Civil Rights (OCR) has announced so many HIPAA fines this month, we’re running out of catchy phrases and punny jokes to write about them. While we’ve hopefully given you a good laugh (or at least a chuckle…maybe?) Premera Blue Cross certainly isn’t laughing after the OCR dished them an $6.85 million fine as well as a 2-year corrective action plan after a data breach exposed the records of 10.4 million people.

A $6.85 million fine is no small feat, and in fact ranks as the second-largest payment to resolve a HIPAA violation in OCR history. This historic settlement was awarded to Premera Blue Cross (PBC), the largest health plan in the Pacific Northwest, after reporting in March 2015 that cyberattackers had gained access to their IT system and network of affiliates. The hackers weaseled their way into the system through a phishing email (fishing for access, that is) that installed malware back in May 2014. The malware went undetected for nine months until January 2015. During that time, hackers were able to access more than 10.4 million individuals PHI – everything from names and addresses to social security and bank account numbers.

The breach report initiated an OCR investigation where (surprise, surprise) they found systemic noncompliance with HIPAA. As an insurance company, PBC qualifies as a covered entity and is subject to all the same HIPAA standards as independent practices. PBC was caught red-handed, missing key HIPAA requirements including:

An enterprise-wide Security Risk Analysis
Necessary risk management processes, including technical safeguards
Audit controls

We don’t mean to sound like a broken record, but there seems to be a running trend of hacking incidents uncovering long standing noncompliance with HIPAA. As OCR Director Roger Severino put it, covered entities need to “invest the time and effort to identify their security vulnerabilities, be they technical or human,” before hackers do. Unidentified technical vulnerabilities and human error let hackers roam free in PBC’s system and resulted in the massive loss of PHI.

Need more proof the OCR is on a roll? In the last two weeks of September alone they’ve levied 8 HIPAA settlements totaling $10,786,500 in fines. If these past two weeks are any indication, all covered entities and especially practices should be adding HIPAA to the top of their priority list.

Think you fall in the “we might possibly be in trouble” category? First, find out what you don’t know about HIPAA in a complimentary educational webinar today.