Coming in second can sometimes be a good thing. But not when you’re on the receiving end of a HIPAA fine and have to pay out $6.9 million like Premera Blue Cross. The insurer is the largest health plan in the Pacific Northwest, serving more than 2 million people. This fine is the second-largest payment made to resolve a HIPAA violation in the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) history.
The breach resulted in the confidential information of over 10 million people being exposed countrywide. In March of 2015, Premera filed a breach report on its own behalf and network of affiliates indicating that hackers had gained unauthorized access to its IT system. This breach was undetected for nearly 9 months, during which time cybercriminals had access to their network, which included 10.4 million individuals’ protected health information (PHI). These records contained names, dates of birth, email addresses, physical addresses, Social Security numbers, banking information, and health plan clinical information according to HHS.
While the nearly $7 million fine is incredible, it comes in at less than half of the largest fine on record to date, which was from Anthem – a $16 million fine that affected 79 million customers.
And That’s Not All
Of course, as was expected, a monetary fine will not be all that Premera will be held accountable for. They must also implement a corrective action plan that will include two years of monitoring. Additionally, they settled a $10 million lawsuit with 30 states as a result of this breach. This was led by Washington state Attorney General Bob Ferguson who investigated the company’s practices which affected 6.4 million of his state’s residents.
But that’s not all. In 2019 Premera settled a federal class-action lawsuit on behalf of customers affected by the breach. That amount? $74 million.
One of the most disappointing parts of this was to learn that Premera had been warned repeatedly by cybersecurity experts and even their internal auditors that they were at risk with found vulnerabilities within their system. This included patching management that wasn’t up to par. The ignorance or “it can’t happen to us” mentality is detrimental in so many ways. Not only can it result in this kind of monetary fine, but it also will affect a company’s reputation and ability to move forward. In the end, the patients and consumers suffer tremendously when their data is exposed.
Ongoing education of healthcare employees should include reminders that while their jobs are at stake for unsafe cyber practices, so is their own private health information and their own costs of having affordable healthcare.