A data breach that was the result of a phishing attack and went undetected for ninth months, compromising the personal information of more than 10 million individuals has cost a health insurance provider nearly $7 million to settle potential violations of the Health Insurance Portability and Accountability (HIPAA) Act.
The phishing attack, which occurred in May 2014 resulted in malware being installed inside the network of Premera Blue Cross. The malware allowed the perpetrators to access the names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information of 10.4 million individuals during the course of ninth months. After reporting the breach in March 2015 to the Department of Health and Human Services, an investigation was conducted and the company was found to have failed to conduct enterprise-wide risk analyses, failed to have implemented proper risk management and audit controls.
Along with paying a fine of $6.8 million, Premera Blue Cross also agreed to implement a corrective action plan that will require the company to conduct a risk analysis, develop and implement a risk management plan, and make available updated copies of its policies and procedures.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said Roger Severino, the director of HHS’s Office of Civil Rights, in a statement. “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”
This is the third settlement announced in the past 10 days between a healthcare provider and the HHS. Previously, settlements were announced with Athens Orthopedic Clinic and CHSPSC.