A health insurance firm in the U.S. has been fined $6.8 million for a data breach that included sensitive medical information, a violation of the HIPAA Act.
Reports are circulating that the Department of Health and Human Services Office for Civil Rights (OCR) has issued a $6.85 million fine against Premera Blue Cross, a health insurance firm based in Washington State in the wake of a data breach.
The $6.85 million fine marks the second-largest fine ever issued by the Department of Health and Human Services’ Office for Civil Rights, after a 2014 data breach that saw the protected health information of 10.4 million people become compromised.
Data breaches resulting in unauthorised access to personally identifiable information and particularly sensitive information like protected health information is punishable under the 1996 Health Insurance Portability and Accountability (HIIPA) Act.
According to a report from InfoSecurity Magazine, “an advanced persistent threat (APT) group successfully used a spear-phishing attack to gain access to Premera’s computer system. Over the course of nine months, the group accessed data including names, addresses, dates of birth, email addresses, social security numbers, bank account information, and health plan information on Premera customers.”
Reports state that the hackers first compromised Premera’s systems in May of 2014, but the breach wasn’t discovered until January of 2015. The company notified the OCR two months after discovering the hacker’s activities.
After a lengthy investigation, the OCR said that the data breach and subsequent breach of HIPAA legislation at Premera Blue Cross was the result of “systemic noncompliance.”
Roger Severino, Director of the OCR has said that “if large health entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will.”
“This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” Severino added.
In addition to the financial terms of the settlement, the OCR has ruled that Premera Blue Cross must implement a “robust corrective action plan that includes two years of monitoring,” to ensure that vulnerabilities are addressed.
Premera Blue Cross has issued a statement saying that “we are pleased to have reached an agreement with the federal Office for Civil Rights to resolve legal inquiries into the 2014 cyberattack on our data network.”
“The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information,” a spokesperson said.
The $6.8 million settlement is the second-largest fine issued in violation of the HIPAA Act, with the largest fine being a $16 million ruling against health insurer Anthem Inc. In October of 2018, Anthem Inc was hit by the largest ever data breach targeting a health insurer when hackers compromised the protected health information of 79 million customers.