HIPAA Noncompliance: Privacy Rule Violations
The requirement to prevent unauthorized disclosure of PHI and ePHI is a covered entity’s paramount responsibility under the HIPAA Privacy Rule. OCR’s investigation found that PBC’s noncompliance with this provision resulted in unauthorized access to the ePHI of 10,466,692 individuals whose information was maintained in PBC’s network. This piece of HIPAA noncompliance was only one of four areas of HIPAA noncompliance found by OCR.
HIPAA Noncompliance: Security Rule Violations
The cyber-attackers gained impermissible access to a veritable treasure trove of ePHI by deploying an advanced persistent threat. An advanced persistent threat actor gains unauthorized access to a computer network, and uses techniques that allow it to remain undetected for an extended period. In this case, that extended period was nine months. During this nine-month silent running, the attackers conducted an email phishing campaign, which installed malware on a Premera network system. Finally, the attack was detected at the end of January of 2015.
After PBC reported the incident two months later, OCR conducted its investigation, which found systemic HIPAA noncompliance. HHS found evidence of violations of three Security Rule requirements:
◈ The requirement to conduct an accurate and thorough assessment (called a security risk analysis or security risk assessment) of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
◈ The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (risk management); and
◈ The requirement to implement sufficient hardware, software, and/or procedural mechanisms (audit controls) that record and examine activity in information systems that contain or use ePHI.
In not following these requirements, PBC was unaware of its system’s vulnerabilities, did nothing to reduce these vulnerabilities, and allowed nearly a year of invisible cyberattacks to occur under its nose through failure to implement mechanisms that might have detected what was going on.
As a result of the attack, patient names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information were all exposed.
The enterprise-level attack could have been prevented – and Premera would not now be Singing the Blues – by simply following the rules and documenting compliance. Notes Roger Severino, OCR Director, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”