October 01, 2020

2014 Advanced Persistent Threat Attack Leads to the Second Largest HIPAA Settlement on Record at $6.85 Million

On September 25, OCR announced that it has reached the second largest HIPAA settlement to date. As the result of a 2014 HIPAA breach, Premera Blue Cross (“Premera”)—the largest health plan in the Pacific Northwest—agreed to enter into a corrective action plan that includes a settlement in the amount of $6.85 million and two years of monitoring. Back in May 2014, hackers successfully accessed Premera’s information technology system where they went undetected for a period of nine months. During this time, the personal information of over 10.4 million people were violated. The breach was reported in May 2015 and an investigation determined that the breach occurred as the result of a phishing email that installed malware on the Premera information technology system. This type of cyber-attack is known as an advanced persistent threat (“APT”) and gave hackers access to all forms of PHI including names, addresses, social security numbers, and health plan clinical information. OCR found that systemic noncompliance with the HIPAA Rules, including failure to conduct an enterprise-wide risk analysis, and failure to implement risk management and audit controls, caused the breach.