Washingtons health insurer, Premera Blue Cross, has been charged with the second-largest HIPAA settlement ever. A prolonged cyberattack ensued the breach of up to 11 million patients’ personal and healthcare information, seriously violating The Health Insurance Portability and Accountability Act (HIPAA) 1996 Health and Security Rules.
How did the attack happen?
In 2014 a sophisticated cyber attack took place in which hackers entered Premera’s IT systems through phishing emails used to install malware.
OCR investigated the situation and discovered the incident was made possible due to the company’s systematic non-compliance to security regulations, allowing it to go unnoticed for nine months before it was finally detected in March 2015.
Similar to other cases we have discussed recently, cyber security experts had in fact alerted Premera about the flaws in its IT system prior to the beach. Ultimately, the company’s failure to respond to the vulnerabilities presented by security professionals allowed the breach to take place, seriously damaging Premera’s reputation.
Who was affected?
It has been reported that the hackers accessed data from almost twenty years back, inevitably posing substantial repercussions for the company and its consumers. They accessed bank details, addresses, Social Security Numbers, and more. The scope of the attack was huge – almost eleven million people had their information breached.
Premera is beginning its recovery process, mailing notification letters to affected individuals and offering perks- if you can really even call it that – including free credit monitoring for two years. However, for most, the damage has been done and the trust has been lost.
What was the legal fallout?
Fortunately, the insurer reported the issue to the FBI as soon as it was detected. However, it was just too little too late, and Premera was charged a huge $74 million to settle a class-action lawsuit for the breach. On 25th September 2020, the US Department of Health and Human Services Federal regulators charged the company with an additional $6.85 million.
A Corrective action-plan has also been enforced.
The nature of this incident is becoming increasingly common. The scope of the attack and extensive damage resulting highlights the importance of running frequent security checks and responding to red flags. There are many lessons to be learned about preparedness – a proactive approach to security is a smart approach to the future.