It seems that the financial woes of the largest insurance company in the Pacific Northwest are about to hit a critical point. Premera Blue Cross (PBC), a health insurance provider that serves approximately 2 million people, has agreed to pay a whopping $6.85 million dollar fine to the Office for Civil Rights (OCR) for a data breach that affected millions of individuals.
Wait a minute—back up
In 2015, we reported on the five largest data breaches of that year according to the Identity Theft Resource Center.While the largest and most noteworthy breach that year was the Anthem incident that affected the protected health information (PHI) of nearly 79 million individuals and was subject to a $16 million HIPAA fine, the second-largest breach was the Premera Blue Cross breach that affected 10.4 million people.
What happened
A phishing email sent in May of 2014 installed malware that gave hackers undetected access to PBC’s IT system for nine months until January of 2015 when it was finally detected. This long term, persistent underlying attack is known as an APT, or advanced persistent threat, and is typically carried out against nation-states or large corporations with the goal of stealing information over a long period of time. The successful phishing attempt resulted in the disclosure of the names, addresses, social security numbers, bank account numbers, dates of birth, email addresses, and clinical information of millions of individuals.
What the OCR investigation found
As a result of an attack of this scale, Premera Blue Cross had no option but to report the breach to the U.S. Department of Health and Human Services (HHS) which is what they did in March of 2015. The breach was summarily added to the HHS Wall of Shame, as is any PHI breach affecting more than 500 people. The subsequent investigation by the OCR resulted in multiple findings of system noncompliance that included:
Failure to conduct an enterprise-wide risk analysis
Failure to implement risk management controls
Failure to implement audit controls
If this sounds familiar, then you have certainly been paying attention to the Paubox blog, as these were similar issues that plagued another covered entity recently, Athens Orthopedic Clinic, which ended up paying $1.5 million in fines for a HIPAA violation last month.
What’s next for Premera Blue Cross
In addition to the mega millions that the health insurance company must pay, PBC has to adhere to a CAP (Corrective Action Plan) that includes:
Conducting an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI)
Developing and implementing a risk management plan within 60 days
Completely reviewing and revisingPBC’s policies and procedures that address the other sections of the CAP
In addition to these stipulations, the OCR will monitor the health insurance provider for the next two years in order to ensure HIPAA compliance.
Returning to Paubox...again
While we feel for the misfortune that has occurred for the company, we can’t help but think about the millions of dollars in fines that PBC could have saved had it contracted with a company like Paubox from the very beginning. As Paubox’s HIPAA compliant email solutions are HITRUST CSF certified, compliance is baked into everything that we do. In fact, the Paubox Email Suite Plus includes two key features that can effectively mitigate email phishing risks:
Inbound Security: Robust spam, virus, ransomware, and phishing protection that stops threats before they reach your inbox.
ExecProtect: Patented protection from display name spoofing attacks, preventing hackers from impersonating your CEO or other company leaders to trick employees into compromising your security.
Phishing attacks are just a reality of operating in the digital world. Becoming a Paubox customer puts your company in a better position to face cyber threats, whether you are a covered entity or business associate. Paubox Email Suite Plus helps you avoid horrific situations that lead to millions in lost revenue while protecting the ePHI of the individuals that allow your business to operate every day.