Serviceteam IT Security News

A health insurance company in Washington state has been slapped with the second-largest ever HIPAA violation penalty.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85m penalty on Premera Blue Cross to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Premera Blue Cross is a not-for-profit Blue Cross Blue Shield licensed health insurance company based in Mountlake Terrace. In 2014, the company suffered a data breach that impacted the protected health information (PHI) of 10.4 million people.

An advanced persistent threat (APT) group successfully used a spear-phishing attack to gain access to Premera’s computer system. Over the course of nine months, the group accessed data including names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information of Premera customers. 

Attackers compromised Premera in May 2014, but their activities were not discovered by the company until January 2015. The OCR was notified of the data breach two months later.

After investigating the security incident, the OCR identified “systemic noncompliance” with the HIPAA Rules by Premera Blue Cross. 

Failings identified by investigators included neglecting to conduct a comprehensive and accurate risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI and not taking steps to reduce risks and vulnerabilities to electronic PHI to a reasonable and appropriate level.

Premera was further found to have failed to implement sufficient hardware, software, and procedural mechanisms to record and analyze activity related to information systems containing ePHI, prior to March 8, 2015.

Premera has agreed to pay $6.85m and implement a “robust corrective action plan” that includes two years of monitoring. Under the agreement, the company must set up a risk-analysis plan and review it at least once a year.

“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said Roger Severino, OCR director.

“This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!