Premera Blue Cross, which operates in Alaska and Washington, was assessed a $6.85 million fine and required to implement a corrective action plan for potential HIPAA violations. The alleged breach impacted over 10.4 million people.
The incident occurred in 2014 and 2015. Cyber attackers used a phishing email and installed malware giving them access to PBC’s IT system. The malware was installed in May 2014 and not detected until January 2015. The cyber attackers gained access to protected health information of more than 10.4 million people, including names, addresses, birthdates, email addresses, Social Security numbers, bank account numbers and clinical health information.
When HHS investigated, it found pervasive noncompliance with the HIPAA Privacy and Security rules, including no risk analysis and no audit controls.
The settlement fine is the second largest in history and PBC must implement a corrective action plan.