Getty Images/iStockphoto

Premera Pays OCR $6.85M to Settle HIPAA Violations, Breach of 10.4M

An OCR audit into the 2015 Premera Blue Cross healthcare data breach impacting 10.4 million patients, found systemic noncompliance with HIPAA. The insurer will pay $6.85 million to settle with OCR.

The Department of Health and Human Services Office for Civil Rights settled with Premera Blue Cross for $6.85 million and a corrective action plan, after an audit into the insurer’s 2015 data breach that impacted 10.4 million patients revealed systemic noncompliance with the HIPAA rule. 

The OCR settlement with Premera is the second largest in agency history. The largest was imposed on Anthem for $16 million, following its 2015 data breach that affected 74 million patients. 

For Premera, the settlement stems from a targeted, sophisticated cyberattack discovered by the insurer on January 29, 2015. The advanced persistent threat gave hackers access to Premera’s systems for nearly a year before it was detected, from March 2014 to January 2015. 

As a result, the attackers were able to access a range of applicant and member data, including contact details, Social Security numbers, clinical data, and claims information, as well as other sensitive data. The hack affected Premera and some of its affiliates, including Premera Blue Cross Blue Shield of Alaska, and the health insurer’s affiliate brands Vivacity and Connexion Insurance Solutions. 

The breach had a rippling effect, with patients filing a class-action lawsuit and 30 states launching investigations. Premera has already settled with those states for $10 million and with breach victims for a whopping $74 million

OCR also launched an investigation into Premera following the breach notification, which found multiple potential HIPAA violations, including failure to conduct an enterprise-wide risk analysis of potential risks and vulnerabilities to protected health information and failures to implement both risk management and audit controls. 

Further, OCR found Premera failed to implement required security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. And until March 8, 2015, Premera did not implement the HIPAA-required hardware, software, and or procedural mechanisms to record and assess information system activity. 

In addition to the civil monetary penalty, Premera has entered into a corrective action plan with OCR. Under the CAP, the insurer is required to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the availability, integrity, and confidentiality to all of its ePHI. 

Premera is also required to develop and implement an enterprise-wide risk management plan to address and mitigate security risks and vulnerabilities found in its risk analysis. The plan must include a process and timeline for its implementation, evaluation, and revision of its risk remediation processes. 

In addition, the insurer is required to review, and where necessary, develop, revise, and maintain, its written privacy and security policies and procedures, which must address Federal standards for securing individually identifiable health information. 

All policies and procedures must be delivered to Premera’s workforce with confirmation. 

Lastly, these plans, at the minimum, must address the security provisions of HIPAA, including risk analysis and management, information system activity review, access and audit controls, integrity, person or entity authentication, and transmission security. 

After a lull during the COVID-19 pandemic, OCR has released a steady stream of settlements with healthcare entities and business associates for failing to meet HIPAA standards. In the last month, OCR announced settlements with seven other entities, including the Athens Orthopedic Clinic, CHSPSC, and five providers for HIPAA Right of Access failures. 

Next Steps

Dig Deeper on HIPAA compliance and regulation