Washington-based health insurer Premera Blue Cross will pay a $6.85 million fine to resolve a data breach that could have exposed more than 10 million people’s protected health information. The HIPAA fine would be the second largest paid to the Department of Health and Human Services’ Office for Civil Rights to date.
According to HHS, hackers used a phishing email in 2014 to install malware, giving them access to Premera’s IT system. They were reportedly able to access members’ names, addresses, social security numbers, bank account information and clinical information from their health plans. The breach wasn’t discovered until January of 2015, almost nine months later.
In its investigation, the OCR said that Premera failed to assess potential risks and vulnerabilities to protected health information, and failed to implement risk management. As part of its settlement with HHS, it must follow a corrective action plan that includes two years of monitoring. The company will also be required to come up with a risk analysis and risk management plan that are approved by HHS.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” OCR Director Roger Sevrino said in a news release. “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”
An Oregon federal judge approved a separate settlement in March for a class action lawsuit filed after the breach. Per that agreement, Premera will put $32 million into a settlement fund to cover the cost of credit monitoring services and identity theft insurance for members, and reimburse them for out-of-pocket losses.
The company will also spend $42 million to beef up its security over the next three years.
Premera has not yet responded to requests for comment at the time of publication.
Photo credit: HYWARDS, Getty Images