Premera Blue Cross signed an agreement with 30 states as a result of a 10-month hack that exposed the protected health information (PHI) of 10.4 million patients. The victims of the data breach had previously filed a lawsuit against Premera and reached a $74 million settlement. However, the Washington Attorney General Bob Fergusen led an investigation into Premera as well.
Through his investigation, Fergusen discovered that Premera violated HIPAA law as well as the Washington State Consumer Protection Act. The company was aware that there were gaps in their cybersecurity practices and failed to remedy the problems. The Health Insurance Portability and Accountability Act (HIPAA) requires organizations to address any gaps they may have in securing PHI with remediation plans. When an organization fails to implement remediation plans, they are in breach of the HIPAA regulation.
The investigation resulted in a settlement requiring Premera to pay an additional $10 million, with $5.4 million going to Washington, and the remaining $4.6 million to be split amongst the other 29 states involved in the suit. The settlement also mandates that Premera regularly review their data security practices, hiring an outside security firm, approved by the 30 states, to do so. They must also hold meetings every two months between the chief information security officer (CISO) and executive management. In addition, the CEO must be notified within 48 hours of any unauthorized access to their network.
New Jersey Attorney General Gurbir Grewal states, “We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach. Companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”
Premera must also provide security training for all employees who handle PHI and they must hire a compliance officer that has a background in HIPAA. These last two points, although reinforced through the settlement, are requirements under HIPAA law. All staff working with PHI must receive annual training to ensure that they are properly safeguarding the PHI that they are working with. In addition, organizations must have a designated compliance officer, although they do not usually need a background in HIPAA.
Do you Need Help with HIPAA Compliance?
Compliancy Group is here to assist you with all of your HIPAA needs. Our total compliance solution the Guard™ has all that you need to prove your “good faith effort” towards compliance. The Guard, along with our Compliance Coaches™, will help you identify any gaps that you may have so that we can tailor remediation plans specific to your organization. Click here to learn more about how Compliancy Group can help you today!