Premera Blue Cross (PBC) is a not-for-profit covered entity and business associate. PBC is also an independent licensee of the Blue Cross Shield Association, and serves as the largest health insurance provider in the Pacific Northwest, covering over 2 million people. PBC was the victim of a May, 2014 data breach, caused by a cyberattack. The cyberattack, which came in the form of an advanced persistent threat (APT) allowed the hackers to tamper with PBC’s IT systems, undiscovered for a period of nine months. In March of 2015, PBC reported the incident, filing a breach report with the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). The subsequent OCR investigation found that the cyberattack resulted in a breach exposing the PHI of over 10.4 million individuals. PBC, faced with the prospect of fines for multiple HIPAA noncompliance violations, has agreed to settle the matter with OCR for $6.8 million dollars, and to submit to a two-year corrective action plan (CAP).
HIPAA Noncompliance: Privacy Rule Violations
The requirement to prevent unauthorized disclosure of PHI and ePHI is a covered entity’s paramount responsibility under the HIPAA Privacy Rule. OCR’s investigation found that PBC’s noncompliance with this provision resulted in unauthorized access to the ePHI of 10,466,692 individuals whose information was maintained in PBC’s network. This piece of HIPAA noncompliance was only one of four areas of HIPAA noncompliance found by OCR.
HIPAA Noncompliance: Security Rule Violations
The cyber-attackers gained impermissible access to a veritable treasure trove of ePHI by deploying an advanced persistent threat. An advanced persistent threat actor gains unauthorized access to a computer network, and uses techniques that allow it to remain undetected for an extended period. In this case, that extended period was nine months. During this nine-month silent running, the attackers conducted an email phishing campaign, which installed malware on a Premera network system. Finally, the attack was detected at the end of January of 2015.
After PBC reported the incident two months later, OCR conducted its investigation, which found systemic HIPAA noncompliance. HHS found evidence of violations of three Security Rule requirements:
◈ The requirement to conduct an accurate and thorough assessment (called a security risk analysis or security risk assessment) of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI;
◈ The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (risk management); and
◈ The requirement to implement sufficient hardware, software, and/or procedural mechanisms (audit controls) that record and examine activity in information systems that contain or use ePHI.
In not following these requirements, PBC was unaware of its system’s vulnerabilities, did nothing to reduce these vulnerabilities, and allowed nearly a year of invisible cyberattacks to occur under its nose through failure to implement mechanisms that might have detected what was going on.
As a result of the attack, patient names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information were all exposed.
The enterprise-level attack could have been prevented – and Premera would not now be Singing the Blues – by simply following the rules and documenting compliance. Notes Roger Severino, OCR Director, “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months.”
