2 min read
It seems that the financial woes of the largest insurance company in the Pacific Northwest are about to hit a critical point. Premera Blue Cross (PBC), a health insurance provider that serves approximately 2 million people, has agreed to pay a whopping $6.85 million dollar fine to the Office for Civil Rights (OCR) for a data breach that affected millions of individuals.
Wait a minute—back up
In 2015, we reported on the five largest data breaches of that year according to the Identity Theft Resource Center. While the largest and most noteworthy breach that year was the Anthem incident that affected the protected health information (PHI) of nearly 79 million individuals and was subject to a $16 million HIPAA fine , the second-largest breach was the Premera Blue Cross breach that affected 10.4 million people.What happened
A phishing email sent in May of 2014 installed malware that gave hackers undetected access to PBC’s IT system for nine months until January of 2015 when it was finally detected. This long term, persistent underlying attack is known as an APT, or advanced persistent threat , and is typically carried out against nation-states or large corporations with the goal of stealing information over a long period of time. The successful phishing attempt resulted in the disclosure of the names, addresses, social security numbers, bank account numbers, dates of birth, email addresses, and clinical information of millions of individuals.What the OCR investigation found
As a result of an attack of this scale, Premera Blue Cross had no option but to report the breach to the U.S. Department of Health and Human Services (HHS) which is what they did in March of 2015. The breach was summarily added to the HHS Wall of Shame, as is any PHI breach affecting more than 500 people. The subsequent investigation by the OCR resulted in multiple findings of system noncompliance that included:- Failure to conduct an enterprise-wide risk analysis
- Failure to implement risk management controls
- Failure to implement audit controls
What’s next for Premera Blue Cross
In addition to the mega millions that the health insurance company must pay, PBC has to adhere to a CAP (Corrective Action Plan) that includes:- Conducting an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI)
- Developing and implementing a risk management plan within 60 days
- Completely reviewing and revisingPBC’s policies and procedures that address the other sections of the CAP
Returning to Paubox...again
While we feel for the misfortune that has occurred for the company, we can’t help but think about the millions of dollars in fines that PBC could have saved had it contracted with a company like Paubox from the very beginning. As Paubox’s HIPAA compliant email solutions are HITRUST CSF certified , compliance is baked into everything that we do. In fact, the Paubox Email Suite Plus includes two key features that can effectively mitigate email phishing risks:- Inbound Security: Robust spam, virus, ransomware, and phishing protection that stops threats before they reach your inbox.
- ExecProtect: Patented protection from display name spoofing attacks, preventing hackers from impersonating your CEO or other company leaders to trick employees into compromising your security.
