Premera Blue Cross has agreed to pay HHS' Office for Civil Rights $6.85 million, the second-largest fine resolving alleged HIPAA violations in OCR's history, the agency said Friday.
OCR imposed the fine on the Mountlake Terrace, Wash.-based health insurer to settle alleged HIPAA violations linked to a 2014 data breach that compromised data on 10.4 million people.
Hackers in May 2014 targeted Premera Blue Cross with a phishing email that installed malware on the insurer's information system, giving the hackers access to some of the company's data. That access went undetected for nearly nine months, until January 2015, according to OCR.
Premera Blue Cross filed a report with the agency detailing the incident in March 2015.
The undetected cyberattack exposed protected health information on more than 10.4 million people, including names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and clinical information.
During an investigation, OCR officials said they found "systemic noncompliance with the HIPAA rules," such as alleged failures to implement risk management and audit controls, as well as to conduct risk analyses.
"This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months," said OCR Director Roger Severino in a statement. "If large health insurance entities don't invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will."
In addition to the monetary settlement, Premera Blue Cross will implement a corrective action plan that includes HHS monitoring the insurer's compliance with HIPAA for two years.
Premera Blue Cross has "worked cooperatively with the OCR" since 2015 and has continued to build on its cybersecurity programs and practices, receiving a certification from security standards development organization HITRUST in 2018, a company spokesperson said in an emailed statement.
He added that independent investigators have "made no determination that any customer information was removed from Premera's systems" on account of the hack.
"We are pleased to have reached an agreement with the federal Office for Civil Rights to resolve legal inquiries into the 2014 cyberattack on our data network," the statement reads. "The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information."
The largest HIPAA settlement reached by OCR to date is a $16 million fine paid by Anthem in 2018, resolving a massive 2015 data breach that hit nearly 79 million people.