In March 2015, Premera Blue Cross disclosed a significant data breach that affected millions of its users. This resulted in cyber litigation, read the court opinion. Here’s a summary based on available information:
- Nature of the Breach: The breach was the result of a sophisticated cyberattack, which exposed sensitive information of approximately 11 million individuals. This included personal, financial, and health plan clinical data.
- Types of Data Exposed: The data compromised encompassed names, email addresses, phone numbers, social security numbers, bank account information, and sensitive health plan clinical data.
- Duration of the Attack: The breach is believed to have started in May 2014, with the attack going undetected for nearly nine months until it was discovered in January 2015.
- Method of Attack: A phishing email allowed hackers to install malware on Premera Blue Cross’s systems, giving them access to sensitive member data.
- Impact: This incident was one of several high-profile breaches in the healthcare sector at the time, highlighting the vulnerability of such organizations to cyber threats. It was particularly impactful because Premera Blue Cross is a major health insurer in the Pacific Northwest, affecting a significant number of individuals, including employees of large companies like Amazon, Microsoft, and Starbucks.
- Response and Legal Actions:
- Immediate Actions: Premera took steps to secure its platform and prevent future incidents, though specifics on security enhancements were not detailed.
- Legal Repercussions:
- Settlement with OCR: Premera agreed to pay $6.85 million to settle potential violations of the HIPAA Privacy and Security Rules. This was the second-largest payment to resolve a HIPAA investigation at the time. They also had to implement a corrective action plan overseen by the Office for Civil Rights (OCR) for two years.
- State Attorney General Investigation: Premera was also investigated by a coalition of 30 state attorneys general led by Washington’s Attorney General, resulting in a $10 million payment for failing to secure sensitive consumer data and for misleading consumers. This included $5.4 million to Washington and $4.6 million to the coalition.
- Class Action Lawsuit: There were also lawsuits from affected individuals, with claims that Premera destroyed critical evidence, particularly a computer believed to hold key evidence of data exfiltration.
- Recommendations for Affected Individuals: Premera reached out to affected users, but those who believed they might be impacted but didn’t receive notification were advised to check services like “Have I Been Pwned” to see if their data was compromised. General advice included changing passwords, updating security question answers, and being cautious with suspicious emails.
This breach served as a significant example of the cybersecurity challenges facing the healthcare industry and underscored the need for robust data protection measures.
Leave a Reply