On September 25, 2020, the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) issued a press release announcing that Premera Blue Cross (Premera) had agreed to pay $6,850,000 and implement a Corrective Action Plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The Premera settlement is the second largest payment to resolve a HIPAA investigation in OCR’s history, trailing Anthem’s 2018 agreement to pay a $16 million to settle alleged violations resulting from a cyberattack that exposed the PHI of about 79 million people. 

The alleged Premera violations stem from a data breach that affected the protected health information (PHI) of more than 10.4 million customers and workers. The Premera settlement follows shortly after two other recent OCR settlements were announced related to data breaches and hacking, one involving a management company business associate and the other an orthopedic clinic covered entity.

Premera is a health insurer operating in Washington state and Alaska. It is the second largest health plan in the Pacific Northwest, serving more than two million people. This CAP is not an admission of liability by Premera.

On March 17, 2015, Premera submitted a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system. In May 2014, the hackers used an email phishing campaign to install malware that allowed them access to Premera’s IT system. The hacker’s access went undetected until January 2015. Such an undetected cyberattack, known as an advanced persistent threat, resulted in the disclosure of individuals’ protected health information (PHI), including patients’ names, dates of birth, addresses, email addresses, social security numbers, bank account information, and health plan clinical information. OCR’s investigation revealed noncompliance with the HIPAA Rules, including a failure to conduct an enterprise-wide risk analysis and failures to implement risk management and audit controls.  

In addition to the $6,850,000 monetary settlement, Premera has agreed to what HHS officials called a “robust” CAP that includes two (2) years of monitoring by HHS and a requirement to complete each of the following: 

• Conduct a risk analysis of potential risks and vulnerabilities of PHI, to be submitted to HHS for review and approval; 
• Develop an enterprise-wide risk management plan to address and mitigate security risks and, subject to HHS’ approval, implement the risk management plan;
• Review and revise its HIPAA privacy and security policies and procedures, which must include minimum specific  measures set forth in the CAP and must be submitted to HHS for approval;
• Distribute the revised policies and procedures to Premera’s existing and new workforce members;
• Promptly investigate any information received indicating that a workforce member subject to the revised policies and procedures has not complied with those requirements; and
• Notify HHS within sixty (60) days if Premera determines that a member of its workforce has materially failed to comply with the above revised policies and procedures.

This settlement is an important and costly reminder that, as stated by OCR Director Roger Severino, if covered entities “don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.” Covered entities and their business associates must ensure they have implemented HIPAA-compliant security protections to protect against cyberattacks. Covered entities – both provider and payors – should review their HIPAA Privacy Rule and Security Rule policies and procedures to ensure they are fully compliant and up-to-date.