Insurer Paid Second Largest HIPAA Settlement Ever

Rivkin Radler LLP

Rivkin Radler LLP

The third HIPAA settlement to be announced by the U.S. Department of Health and Human Services within one week was a big one. On September 25, HHS announced that Premera Blue Cross agreed to pay $6.85 million to HHS’s Office for Civil Rights (OCR) to settle HIPAA violations arising out of a data breach that affected more than 10 million people. The payment by Premera, the largest health insurer in the Pacific Northwest, was surpassed only by the $16 million paid by Anthem to OCR in 2018 after a 2015 cyberattack.

Hackers used a phishing email to gain access to Premera’s computer system in 2014. Although the company said there was no evidence that customer information was removed from its system, the intrusion remained undetected for more than eight months. Social Security numbers, financial information and medical claims data were exposed. OCR’s investigation revealed that Premera had engaged in “systemic noncompliance” with HIPAA rules, “including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.” Premera’s Resolution Agreement and Corrective Action Plan with OCR required the insurer to promptly address those shortcomings.

Although Premera’s settlement was just announced, it was agreed to in March and the $6.85 million payment was made on April 30. HHS’s press release was part of an orchestrated publicity offensive that began with a September 21 announcement that a Georgia orthopedic practice paid a $1.5 million HIPAA settlement, as discussed here. In between, on September 23, HHS announced that CHSPSC Inc. agreed to pay $2.3 million to resolve an OCR investigation of a 2014 data breach that exposed the health information of more than six million people. CHSPSC, which provides health information management services to hospitals and physician clinics owned by Tennessee-based Community Health Systems, also reached its Resolution Agreement and Corrective Action Plan with OCR in March.

Share this article:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Rivkin Radler LLP | Attorney Advertising

Written by:

Rivkin Radler LLP

Rivkin Radler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.