Premera Blue Cross consented to pay $10 million to resolve a multi-state data breach lawsuit. The 2014 breach impacting 10.4 million records was allegedly due to violations of state and federal laws. Premera Health’s system got hacked on May 5, 2014 and remained accessible to the hacker without being detected until March 6, 2015. Compromised highly sensitive data of plan members included their names, birth dates, contact information, Social Security numbers and member ID numbers.
The 30 states involved in the lawsuit were Alabama, Arkansas, Arizona, Alaska, Connecticut, California, Hawaii, Florida, Indiana, Iowa, Idaho, Kentucky, Kansas, Louisiana, Massachusetts, Montana, Mississippi, Minnesota, Nebraska, New Jersey, Nevada, North Dakota, North Carolina, Ohio, Oklahoma, Oregon, Rhode Island, Washington. Vermont and Utah.
The investigation was headed by Washington State Attorney General Bob Ferguson. The security vulnerabilities were checked to see how the hacker exploited and accessed a massive volume of sensitive data. The investigators also looked at how the attackers stayed undetected for about one year.
The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule mandates all HIPAA-covered entities to have technical, administrative and physical controls in place to protect protected health information (PHI) confidentiality, availability and integrity. The investigators confirmed the HIPAA violation committed by Premera Health since it failed to satisfy the minimum security requirements.
The violation wasn’t an oversight considering that Premera Health got repeated notice from its own auditors that its security program was inadequate. They did not resolve the security vulnerabilities to reduce the risks of a breach.
New Jersey Attorney General Gurbir S. Grewal stated that all firms, particularly those that handle sensitive health information, are supposed to secure their customers’ information and to respond suitably to a breach. The settlement of this lawsuit highlights the responsibilities of companies should they fail to meet the HIPAA requirements and the financial penalties the could face besides the need to improve their systems to avert potential breaches.
Aside from the fine, Premera Blue Cross should add more security controls to ensure the protection of plan members’ electronic PHI. A third-party cybersecurity professional will perform yearly cybersecurity reviews. Data security reports must also be submitted to the attoneys general.
Premera Blue Cross need to seek the expertise of a CISO with respect to HIPAA compliance and data security. The CISO is going to be responsible for the enforcement of Premera Health’s security program. The CISO ought to be present regular meetings of the executive management and must confer with the CEO at least once every other month. The CISO should also submit breach reports within 48 hours of discovering the breach.
Premera Blue Cross paid a huge amount of expenses in a month. Included was the $74 million settlement fee that Premera Blue Cross had to pay last month to settle a class action lawsuit filed by the affected plan members.