Health insurer company Premera Blue Cross will pay a fine of $6.8 million to resolve a data breach incident that affected ten million people.
Dubbed as the second-largest HIPAA fine in history, the incident exposed individual’s protected information including complete names, dates of birth, addressed, Social Security numbers, bank information, etc.
Following a series of investigations, the Washington-based insurer found out that the breach happened in April 2014, and was only detected in January 2015. Hackers were able to access Premera’s IT system using a phishing email.
The email contained the malware, which was installed and gave access to the insurer’s systems. According to the OCR, Premera failed to assess the potential risks of the breach, as well as the vulnerabilities of the data exposed.
“This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said OCR Director Roger Sevrino. Claiming that Premera failed to identify the system’s weak points, the director added that hackers easily spotted the vulnerabilities.
Part of the negotiation with the HIPAA is a corrective action plan that includes two-year monitoring of the systems. Premera also needs to come up with a risk analysis and management plan approved by the HHS.
The healthcare sector is among the vulnerable industries that hackers fry on. Premera’s hacking incident isn’t the first of its kind, but one of the massive in history. The U.S. healthcare organizations easily fall victim to a data breach with undetected security.
Anthem, another healthcare provider, was hit by a breach that affected 80 million members and employees. In addition to the medical ID numbers, hackers also accessed the income data and Social Security numbers of Anthem members.
In addition to the Premera platform, several other healthcare affiliates were affected, including Vivacity and Connexion Insurance Solutions.
Insufficient Security Measures
The OCR claimed Premera failed to implement the security measures to reduce the vulnerabilities of its systems. More than five months following the breach, the company still hasn’t implemented the HIPAA-approved hardware to assess security system activities.
The clear violation and neglect prompt more affected parties to file a class-action lawsuit. Members of the insurance companies affected filed one, prompting several states to launch an investigation.
The insurer settled roughly $10 million to the affected states and an additional $70 million to the breach victims.