Premera Blue Cross’ $6.85 Million HIPAA Settlement
On March 17, 2015, Premera Blue Cross (“PBC”), the largest health plan in the Pacific Northwest, filed a breach report with the United States Department of Health and Human Services, Office for Civil Rights (“OCR”) indicating that cyber-attackers accessed its information technology system, and affected 10,466,692 individuals’ data. The attackers used a phishing email to install malware in PBC’s system, which was undetected for nine months.
As a result of the breach report, OCR conducted an investigation and discovered that PBC failed to comply with several provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). OCR found that PBC failed to: conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the electronic protected health information hosted on its system; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; implement sufficient hardware, software and/or procedural mechanisms to record and examine activity in its information systems containing or using electronic protected health information; and adequately prevent unauthorized access to electronic protected health information.
PBC agreed to a $6.85 million settlement, the second largest OCR HIPAA-related settlement. Additionally, PBC entered into a corrective action plan that includes two years of monitoring.
How Frier Levitt Can Help
Although frequently the result of mandatory breach reporting, OCR investigations are not limited to the single breach that has been reported. OCR has and will continue to evaluate companies’ overall HIPAA compliance. Covered entities and their business associates must regularly evaluate their compliance efforts, as those who fail to maintain appropriate policies, procedures, and documented risk management prior to and after breaches have faced greater penalties upon investigation. Contact Frier Levitt for assistance with your organization’s HIPAA compliance program.