The United States Department of Health and Human Services (HHS) recently announced a $6.85 million settlement with Premera Blue Cross, a private health insurance provider, to settle claims the company violated the Health Insurance Portability and Accountability Act (HIPAA). The provider is also required to implement a “robust corrective plan” that will include two years of monitoring to reduce the risk of similar incidents in the future.
According to a press release from the federal agency, the provider filed a report after it was the victim of cyber-attack. The attackers gained access to the provider’s information technology system, installed malware and continued to access the system for almost a year without detection. The federal agency claims the provider’s failure to comply with HIPAA rules included regular risk analysis assessments and audit controls contributed to the security lapse and continued breach. Hackers had access to protected patient information throughout the breach, including names, Social Security numbers, bank accounts and health plan clinical information.
The settlement is of note because it is the second largest payment to resolve a HIPAA claim in the history of the Office for Civil Rights (OCR). Three lessons that healthcare providers can learn from this case include:
- The government expects healthcare providers to follow the provisions of HIPAA. This includes the use of audits to help proactively reduce the risk of a breach.
- The government will aggressively investigate allegations of breach. Whether self-reported or discovered through an independent investigation, the government takes potential HIPAA violations very seriously.
- Penalties are steep. If the government finds evidence of a violation, it will pursue penalties. These penalties can include both hefty financial penalties as well as additional future monitoring.
Arguably, one of the most important steps healthcare providers can take to reduce the risk of a similar issue is the completion of regular internal audits.