Premera Blue Cross has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to resolve possible violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
Premera Blue Cross Pays Big Money to Resolve HIPAA Investigation
1 min read Premium comments
Secondary#cyberattacks#hipaa#premerabluecross
Premera Blue Cross is an independent licensee of the Blue Cross Blue Shield Association. It is the “largest health plan in the Pacific Northwest” and serves more than two million people in Alaska and Washington.
The settlement results from a 2014 cyber-attack that lasted almost nine months and affected more than 10.4 million people. It is the second largest payment to resolve a HIPAA investigation in OCR history.
In 2014, cyber attackers utilized a phishing email to install malware in Premera Blue Cross’s information technology system. The hackers remained undetected for nearly nine months. During this time protected health information was exposed including “names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information.”
HHS’ investigation found numerous potential violations. Notably that Premera Blue Cross potentially failed to prevent unauthorized access to the electronic protected health information (ePHI) maintained in its network. It is also possible that Premera Blue Cross did not conduct a risk and vulnerability assessment of its ePHI and failed to implement sufficient security measures.
In addition to the financial agreement, Premera Blue Cross will also implement a corrective action plan. The corrective action plan includes two years of monitoring. Under the corrective action plan, Premera Blue Cross will conduct a risk analysis and develop and implement a risk management plan.
OCR Director Roger Severino said of the settlement, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will.”
Severino continued, “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”
React:
Discussion
This is a fascinating development. In my practice we've seen similar outcomes with the revised protocol. The key differentiator seems to be patient selection criteria. Has anyone else noticed the correlation with BMI thresholds?
Great point. I'd push back slightly on the conclusion, the sample size in the cited study is too small to draw population-level inferences. That said, the directional signal is compelling and worth a larger RCT.
We implemented a similar approach last year. Early results are promising but we're still gathering 12-month follow-up data. Happy to share our protocol if anyone is interested.
Join the conversation
Orthopedic professionals are discussing this. Sign in and upgrade to read every comment and add your voice.