Premera Blue Cross will pay $6.9 million in a settlement with the Trump administration over a data breach that exposed confidential information on more than 10 million people across the country.
The insurer operates in Washington and Alaska and is the largest health plan in the Pacific Northwest, serving more than 2 million people.
The settlement with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) marks the second-largest payment to resolve a Health Insurance Portability and Accountability Act (HIPAA) violation in the agency’s history, according to an HHS press release.
Two years ago, Anthem paid a record $16 million for a landmark 2015 breach that impacted nearly 79 million consumers.
Premera filed a breach report on March 17, 2015, on behalf of itself and its network of affiliates stating that cyberattackers had gained unauthorized access to its information technology system.
During the breach, which went undetected for nearly nine months from May 2014 to January 2015, a hacker had unauthorized access to the Premera network containing 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and health plan clinical information, according to HHS.
The hackers used a phishing email to install malware that gave them access to Premera’s IT system.
OCR’s investigation found systemic noncompliance with the HIPAA rules including failure to conduct an enterprisewide risk analysis and failures to implement risk management and audit controls, HHS said.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR director, in a statement.
Premera also agreed to implement a corrective action plan (PDF) that includes two years of monitoring.
The insurer settled a $10 million lawsuit with 30 states in July 2019 over the 2014 breach.
Washington state Attorney General Bob Ferguson led a coalition of 30 state attorneys general investigating the company’s practices following the 2014 health data breach that affected 10.4 million individuals nationwide and 6.4 million Washington state residents.
In 2019 Premera also settled a federal class-action lawsuit for $74 million on behalf of affected customers of the breach.
For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera about the vulnerabilities within its system including inadequate patching management but the company failed to fix the problems, according to Washington state’s complaint against Premera filed after the breach.