A fine of $ 6,85 million has been imposed on Premera Blue Cross, an insurance company based in Washington, DC, for one data breach which could expose more than 10 million health information. The fine will be the second largest paid to date Civil Rights Office of the Ministry of Health and Human Services.
The incident was the result of an electronic Phishing, when malicious agents sent an email in 2014 which installed one malware, which gave them access to system Premera IT. According to information, the hackers had access to names, addresses, social security numbers, bank account information and clinical information from the company's health plans. The violation, however, was not detected until January 2015.
In his research, the OCR stated that Premera failed to assess the potential risks and vulnerabilities its system for protected health information and that it did not implement risk management. In addition to the fine, the company will have to implement a series of corrective actions and its progress will be monitored for two years. The company will also need to present a risk analysis and a risk management plan, which will be approved by the Office of Civil Rights.
"If the big health insurers do not invest in time and effort to identify their vulnerabilities in safety, whether they are technical or human, surely the hackerSaid OCR Director Roger Sevrino in a press release. "This case strongly shows the damage that occurs when hackers are allowed to roam without being detected in a system for almost nine months."
An Oregon federal judge approved a separate settlement in March, with a lawsuit filed after the violation. Under the agreement, Premera will put $ 32 million into a settlement fund to cover the cost of credit tracking and identity theft insurance services for members. The company will also spend $ 42 million to boost its security over the next three years.