Premera Blue Cross to pay $6.85M to settle 2015 breach

The breach at the health plan, which affected 10.4 million people, was the second largest to hit healthcare at the time. Five years later, Premera is making the second-biggest payment ever to settle a HIPAA case.
By Mike Miliard
10:45 AM

The Office for Civil Rights at the U.S. Department of Health and Human Services Premera Blue Cross announced this past Friday that Premera Blue Cross will pay $6.85 million and implement a corrective-action plan to settle potential HIPAA violations in a 2015 data breach.


According to OCR, this is the second-largest payment to resolve a HIPAA investigation in its history.

The breach at the Washington state health plan, which also operates in Alaska and is the biggest insurer in the Pacific Northwest, was first detected in January 2015 and was the result of a "sophisticated cyberattack." It exposed the data of 10.4 million people.

OCR says it "found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management and audit controls," and has required a "robust corrective action plan" that it will oversee for two years in addition to the monetary settlement.


In spring of 2014, a phishing email enabled hackers to install malware on Premera's systems that gave them access to its members' data. The breach was undetected for nearly nine months, until January 2015. In March, PBC reported the breach to OCR.

The undetected advanced persistent threat attack led to the disclosure of more than 10.4 million individuals' protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and health plan clinical information.

Announced just a month after another breach had hit another insurer, Anthem, the Premera incident was one of the earlier major salvos in what would soon become a sustained attack on U.S. healthcare organizations – serving as confirmation that hospitals and health plans were in the crosshairs of cybercriminals worldwide.


"If large health insurance entities don't invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will," said OC Director Roger Severino in a statement. "This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months."

Twitter: @MikeMiliardHITN
Email the writer:

Healthcare IT News is a publication of HIMSS Media.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.