On September 25, 2020 the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced what it billed to be the second largest payment to resolve a HIPAA investigation ever. Premera Blue Cross (“Premera”) has agreed to pay $6.85 million and enter into a corrective action plan for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
According to HHS, in May 2014 hackers accessed Premera’s computer system and were not detected until nine months later. This breach involved that data of over 10,400,000 people, including their name, address, date of birth, email, Social Security numbers, bank account information and health plan clinical information. Premara reported the breach in May of 2015. T
According to the HHS press release, “OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.”
You can read the HHS Resolution Agreement and the Corrective Action Plan here: https://www.hhs.gov/sites/default/files/premera-ra-cap.pdf