Rivas Goldstein, LLP Call : 646-859-3790

Lessons from record setting HIPAA fine

The United States Department of Health and Human Services (HHS) recently announced a $6.85 million settlement with Premera Blue Cross, a private health insurance provider, to settle claims the company violated the Health Insurance Portability and Accountability Act (HIPAA). The provider is also required to implement a “robust corrective plan” that will include two years of monitoring to reduce the risk of similar incidents in the future.

According to a press release from the federal agency, the provider filed a report after it was the victim of cyber-attack. The attackers gained access to the provider’s information technology system, installed malware and continued to access the system for almost a year without detection. The federal agency claims the provider’s failure to comply with HIPAA rules included regular risk analysis assessments and audit controls contributed to the security lapse and continued breach. Hackers had access to protected patient information throughout the breach, including names, Social Security numbers, bank accounts and health plan clinical information.

The settlement is of note because it is the second largest payment to resolve a HIPAA claim in the history of the Office for Civil Rights (OCR). Three lessons that healthcare providers can learn from this case include:

  1. The government expects healthcare providers to follow the provisions of HIPAA. This includes the use of audits to help proactively reduce the risk of a breach.
  2. The government will aggressively investigate allegations of breach. Whether self-reported or discovered through an independent investigation, the government takes potential HIPAA violations very seriously.
  3. Penalties are steep. If the government finds evidence of a violation, it will pursue penalties. These penalties can include both hefty financial penalties as well as additional future monitoring.

Arguably, one of the most important steps healthcare providers can take to reduce the risk of a similar issue is the completion of regular internal audits.

No Comments

Leave a comment
Comment Information
Email Us For A Response

Schedule A Consultation With An Attorney

Bold labels are required.

Contact Information

The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.


Privacy Policy

Austin Office
3345 Bee Cave Rd, Suite 104
Austin, TX 78746

Phone: 512-481-2916
Map & Directions

New York Office
By Appointment Only
405 Lexington Ave 26th Floor
New York, NY 10174

Phone: 646-859-3790
Map & Directions

New Jersey Office
By Appointment Only
1 Gateway Center, Suite 2600
Newark, NJ 07102

Phone: 646-859-3790
Map & Directions

Review Us