2 min read

Pacific northwest’s largest health insurance company pays $6.85M for data breach

Rikin Shah October 7, 2020

Healthcare cybersecurity news
Blue cross with healthcare figure logo
Premera Blue Cross logo It seems that the financial woes of the largest insurance company in the Pacific Northwest are about to hit a critical point.  Premera Blue Cross (PBC), a health insurance provider that serves approximately 2 million people, has agreed to pay a whopping $6.85 million dollar fine to the Office for Civil Rights (OCR) for a data breach that affected millions of individuals. 

Wait a minute—back up

In 2015, we reported on the five largest data breaches of that year according to the Identity Theft Resource Center. While the largest and most noteworthy breach that year was the Anthem incident that affected the protected health information (PHI) of nearly 79 million individuals and was subject to a $16 million HIPAA fine , the second-largest breach was the Premera Blue Cross breach that affected 10.4 million people. 

 

What happened

A phishing email  sent in May of 2014 installed malware that gave hackers undetected access to PBC’s IT system for nine months until January of 2015 when it was finally detected. This long term, persistent underlying attack is known as an APT, or advanced persistent threat , and is typically carried out against nation-states or large corporations with the goal of stealing information over a long period of time.  The successful phishing attempt resulted in the disclosure of the names, addresses, social security numbers, bank account numbers, dates of birth, email addresses, and clinical information of millions of individuals. 

 

What the OCR investigation found

As a result of an attack of this scale, Premera Blue Cross had no option but to report the breach to the U.S. Department of Health and Human Services (HHS) which is what they did in March of 2015. The breach was summarily added to the HHS Wall of Shame, as is any PHI breach affecting more than 500 people.   The subsequent investigation by the OCR resulted in multiple findings of system noncompliance that included: 
  • Failure to conduct an enterprise-wide risk analysis
  • Failure to implement risk management controls
  • Failure to implement audit controls
If this sounds familiar, then you have certainly been paying attention to the Paubox blog, as these were similar issues that plagued another covered entity recently, Athens Orthopedic Clinic, which ended up paying $1.5 million in fines for a HIPAA violation last month. 

 

What’s next for Premera Blue Cross

In addition to the mega millions that the health insurance company must pay, PBC has to adhere to a CAP (Corrective Action Plan) that includes: 
  • Conducting an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (ePHI) 
  • Developing and implementing a risk management plan within 60 days
  • Completely reviewing and revisingPBC’s policies and procedures that address the other sections of the CAP
In addition to these stipulations, the OCR will monitor the health insurance provider for the next two years in order to ensure HIPAA compliance. 

 

Returning to Paubox...again

While we feel for the misfortune that has occurred for the company, we can’t help but think about the millions of dollars in fines that PBC could have saved had it contracted with a company like Paubox from the very beginning.  As Paubox’s HIPAA compliant email solutions are HITRUST CSF certified , compliance is baked into everything that we do.  In fact, the Paubox Email Suite Plus includes two key features that can effectively mitigate email phishing risks:
  • Inbound Security: Robust spam, virus, ransomware, and phishing protection that stops threats before they reach your inbox.
  • ExecProtect: Patented protection from display name spoofing attacks, preventing hackers from impersonating your CEO or other company leaders to trick employees into compromising your security.
Phishing attacks are just a reality of operating in the digital world. Becoming a Paubox customer puts your company in a better position to face cyber threats, whether you are a covered entity or business associate Paubox Email Suite Plus helps you avoid horrific situations that lead to millions in lost revenue while protecting the ePHI of the individuals that allow your business to operate every day. 
 
Try Paubox Email Suite Plus for FREE today.
Start for free
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Silhouetted hooded figure at computer with world map and network connections

How recent North Korean hacker activity will affect covered entities

Caitlin Anthoney : September 5, 2024

On August 19, 2024, Microsoft identified North Korean threat actor Citrine Sleet as exploiting a zero-day vulnerability in Chrome, known as...

Healthcare cybersecurity news
Read More
email icon with fish hook on computer

Phishing attack causes data breach at North Florida Cancer Care Center

Caitlin Anthoney : September 4, 2025

Cancer Care Center of North Florida recently disclosed a series of data security incidents that exposed the protected health information (PHI) of...

Healthcare cybersecurity news
Read More
Team of professionals collaborating at a computer workstation

North Korea is actively using ransomware to target healthcare

Anne-Marie Sullivan : July 7, 2022

CISA, the FBI, Department of Treasury, and Infrastructure Security Agency released a joint Cybersecurity Advisory yesterday to alert the public...

Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.