The U.S. Department of Health and Human Services (HHS) has announce that Premera Blue Cross (PBC) had agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the HHS and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people.
On March 17, 2015, the PBC filed a breach report stating hackers used a phishing email to install malware that gave them access to the PBC’s IT system in May 2014. The attack went undetected for nearly nine months. This resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.
In addition to the monetary settlement, PBC has agreed to a robust corrective action plan that includes two years of monitoring. The plan is available here.
The press release is available here.