Premera Blue Cross to pay $6.85M to settle 2015 breach

The Office for Civil Rights at the U.S. Department of Health and Human Services Premera Blue Cross announced this past Friday that Premera Blue Cross will pay $6.85 million and implement a corrective-action plan to settle potential HIPAA violations in a 2015 data breach.


According to OCR, this is the second-largest payment to resolve a HIPAA investigation in its history.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>

The breach at the Washington state health plan, which also operates in Alaska and is the biggest insurer in the Pacific Northwest, was first detected in January 2015 and was the result of a “sophisticated cyberattack.” It exposed the data of 10.4 million people.

OCR says it “found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management and audit controls,” and has required a “robust corrective action plan” that it will oversee for two years in addition to the monetary settlement.


In spring of 2014, a phishing email enabled hackers to install malware on Premera’s systems that gave them access to its members’ data. The breach was undetected for nearly nine months, until January 2015. In March, PBC reported the breach to OCR.

The undetected advanced persistent threat attack led to the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and health plan clinical information.

Announced just a month after another breach had hit another insurer, Anthem, the Premera incident was one of the earlier major salvos in what would soon become a sustained attack on U.S. healthcare organizations – serving as confirmation that hospitals and health plans were in the crosshairs of cybercriminals worldwide.


“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will,” said OC Director Roger Severino in a statement. “This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”

Twitter: @MikeMiliardHITN
Email the writer:

Healthcare IT News is a publication of HIMSS Media.

Leave a Reply

Your email address will not be published. Required fields are marked *