Washington State-based Primera Blue Cross (PBC) is $6.85 million in the hole to the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
That’s not all. The resolution represents the second largest payment to resolve a HIPAA investigation in OCR history. It also includes a robust corrective action plan that calls for, among other things, two years of monitoring.
The violations are related to a breach reported by PBC on behalf of itself and its network of affiliates on March 17, 2015, stating that hackers had gained unauthorized access to its IT systems. Perpetrators used a phishing email to install malware that gave them access to patient files in May 2014—access that went undetected for nearly nine months, until January 2015.
Protected health information (PHI) pertaining to more than 10.4 million PBC enrollees was exposed during the cyberattack. OCR’s subsequent investigation found systemic non-compliance with the HIPAA rules, encompassing failure to conduct a required enterprise-wide risk analysis. It also uncovered failures to implement risk management and audit controls.
In an HHS press release, OCR Director Roger Severino says the case “vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.” Severino also notes that, “if large health insurance companies don’t invest the time and effort to identify their security vulnerabilities,” human or technical, “hackers surely will.”
PBC operates in Washington and Alaska and is the largest health plan in the Pacific Northwest.
Read the resolution agreement and corrective action plan here.
In other notable payout news, The New York City Health and Hospital Corp. and a podiatrist will pay $1.25 million to settle claims that they had violated the False Claims Act by improperly billing Medicare and Medicaid for hospital and professional services at Coney Island Hospital in Brooklyn, according to Bloomberg Law.