The third HIPAA settlement to be announced by the U.S. Department of Health and Human Services within one week was a big one. On September 25, HHS announced that Premera Blue Cross agreed to pay $6.85 million to HHS’s Office for Civil Rights (OCR) to settle HIPAA violations arising out of a data breach that affected more than 10 million people. The payment by Premera, the largest health insurer in the Pacific Northwest, was surpassed only by the $16 million paid by Anthem to OCR in 2018 after a 2015 cyberattack.

Hackers used a phishing email to gain access to Premera’s computer system in 2014. Although the company said there was no evidence that customer information was removed from its system, the intrusion remained undetected for more than eight months. Social Security numbers, financial information and medical claims data were exposed. OCR’s investigation revealed that Premera had engaged in “systemic noncompliance” with HIPAA rules, “including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.” Premera’s Resolution Agreement and Corrective Action Plan with OCR required the insurer to promptly address those shortcomings.

Although Premera’s settlement was just announced, it was agreed to in March and the $6.85 million payment was made on April 30. HHS’s press release was part of an orchestrated publicity offensive that began with a September 21 announcement that a Georgia orthopedic practice paid a $1.5 million HIPAA settlement, as discussed here. In between, on September 23, HHS announced that CHSPSC Inc. agreed to pay $2.3 million to resolve an OCR investigation of a 2014 data breach that exposed the health information of more than six million people. CHSPSC, which provides health information management services to hospitals and physician clinics owned by Tennessee-based Community Health Systems, also reached its Resolution Agreement and Corrective Action Plan with OCR in March.