HHS Resolution Agreement: Premera Blue Cross (March 30, 2020); HHS News Release (Sept. 25, 2020)
HHS’s Office for Civil Rights (OCR) has announced a $6.85 million resolution agreement with a health insurer to settle potential violations of HIPAA privacy and security rules that led to a breach of protected health information (PHI) affecting more than 10 million individuals. The underlying breach was attributed to cyberattackers using a phishing email campaign to install malware that gave them access to the insurer’s IT system. The attack, which went undetected for nearly nine months, compromised individuals’ names and contact information, birthdates, Social Security numbers, bank account information, clinical information, and other PHI. OCR’s investigation found systemic noncompliance with the HIPAA rules including failures to conduct an enterprise-wide risk analysis, implement sufficient security measures to manage risk, and adopt audit controls to record and examine information system activity.
In addition to the settlement payment, the insurer agreed to a corrective action plan (CAP). The CAP requires the insurer to conduct an enterprise-wide risk analysis and adopt a corresponding risk management plan, each subject to OCR review and approval. The insurer must also revise—subject to OCR approval—numerous policies and procedures, including those addressing risk analysis and management; access and audit controls; information system activity review; user authentication; integrity of PHI; and transmission security. The revised policies and procedures must be made available to the insurer’s existing workforce within 30 days after adoption and to new workforce members within 30 days of their start date.
EBIA Comment: According to OCR, this settlement includes the second-largest payment in OCR’s history of HIPAA investigations. The largest payment was a $16 million settlement with a different insurer in a breach involving almost 79 million individuals (see our Checkpoint article). Despite the size of these payments, they represent only a fraction of the financial consequences of a breach of this magnitude. In addition to the settlement payment and the costs associated with implementing the CAP, this insurer agreed in a separate class action settlement to pay $32 million in costs incurred by class members and an additional $42 million to improve data security over a three-year period (see our Checkpoint article). Moreover, breaches create negative publicity, interrupt business operations, and harm employee relations. Having an incident response plan in place before a breach happens can help reduce cost, uncertainty, and disruption. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XXV.H (“Guide to Planning for Breach Notification”), and XXX (“Core Security Requirements”). You may also be interested in our webinar “HIPAA Breaches: Preparation and Response” (recorded on 9/10/20).
Contributing Editors: EBIA Staff.