Healthcare Data Breaches at Fairchild Medical Center, Indian Health Council Inc. and Harvard Pilgrim Health Care

Fairchild Medical Center located in Yreka, CA, started informing a number of patients about the likely access of their protected health information (PHI) by unauthorized individuals online.

In July 2020, a third-party security company advised Fairchild Medical Center regarding a misconfigured server, which permitted access over the web. With the assistance of third-party computer experts, the medical center confirmed that unauthorized persons
could have accessed patient information.

The server stored medical images that include patient names, dates of birth, exam identification numbers, patient ID numbers, names of ordering provider, and dates of examination. The misconfiguration transpired on December 16, 2015 and was just fixed on July 31, 2020. A third-party security firm validated the security of the server after making the required adjustments.

A forensic investigation cannot ascertain if unauthorized persons accessed patient data in the period the server was open, however, the possibility can’t be eliminated.

Indian Health Council Inc Experiences Ransomware Attack

A ransomware attack on Indian Health Council Inc. in Valley Center, CA happened in September 2020 bringing about file encryption that likely affected the PHI of patients. Indian Health Council discovered the ransomware attack on September 22, 2020 and called in third-party computer forensic specialists to help with the investigation.

An analysis of the files the attacker got access to shows that some files included patient data for instance names, birth dates, health details, and health insurance data and, for some people, details about medical conditions, treatment, or diagnosis data.

After the cyber attack, Indian Health Council Inc altered passwords and toughened security to avert more attacks. It also carried out extra measures or controls such as remote access and multi-factor authentication.

All patients affected by the attack have now gotten notification letters. The breach report sent to the Office for Civil Rights shows that the attack possibly impacted 5,769 persons.

Mismailing Incident At Harvard Pilgrim Health Care

Harvard Pilgrim Health Care is informing 8,022 people concerning a software mistake in its enrollment data management system. The error resulted in the association of an individual’s mailing address with another address linked to the health plan of that individual. Due to the error, certain mailings were misdirected to the address of a subscriber of the person’s health plan or to a past address. Harvard Pilgrim Health Care tracked back the problem to an error that took place in 2013.

The types of information that might have been exposed differed from mailing to mailing and probably involved the name of the member, ID number, date of birth, phone number, provider names, dates of service, treatment data, deductibles, charges for services, co-pay amount, and co-insurance details linked to healthcare coverage.

The matter has already been fixed and the method of system updates has been assessed and improved. Impacted persons were advised to look at their Activity Summaries and to send a report on any shady entries to Harvard Pilgrim without delay.

Cyberattackers Ask for Ransom Demands from Advanced Urgent Care of Florida Keys and Galstan & Ward Family and Cosmetic Dentistry

Advanced Urgent Care of Florida Keys began sending breach notifications to patients on November 6, 2020 concerning a ransomware attack that transpired on March 1, 2020. Though not mentioned in the breach notice, on March 14, 2020, documented the stealing of patient information during the attack. The attackers exposed the stolen data on the internet because there was no ransom payment received.

Based on the Advanced Urgent Care breach notice, after the ransomware attack, an investigation to find out whether patient information was compromised proceeded up to September 11, 2020. The attack ended in the encryption of files located on a backup drive that included protected health information (PHI) such as names, dates of birth, medical treatment details, laboratory results, medical diagnostic data, medical insurance data, medical record numbers, Medicaid or Medicare beneficiary numbers, medical billing details, bank account data, credit or debit card details, CHAMPUS ID numbers, driver’s license numbers, Military and/or Veterans Administration numbers, Social Security numbers and signatures.

Advanced Urgent Care provided free credit monitoring services to individuals who had their Social Security numbers potentially exposed and have taken steps to enhance security to protect against more attacks and to detect and remediate potential threats.

Galstan & Ward Family and Cosmetic Dentistry, GA

Galstan & Ward Family and Cosmetic Dentistry based in Suwanee, GA, reported a ransom incident associated with a computer virus that infected one of its servers. This incident is not like ransomware attacks that leave encrypted files and a ransom note on infected computer systems. According to Galstan & Ward, someone contacted the practice via telephone and told about the virus that infected its computer server. That person also demanded a ransom payment over the phone.

Galstan & Ward had already noticed the server’s suspicious activity and had contracted a third-party vendor to clean the server and bring back the data kept in a backup. Galstan & Ward did not pay any ransom and reported no considerable interruption to services or loss of data. But on September 11, 2020, Galstan & Ward found out that there were some stolen files, which the attacker published on a dark web site. Those stolen files, however, didn’t include any patient data.

The contracted IT company affirmed the removal of the malware and said that there was no indication of access of patient information within its dental practice software. More investigations likewise found no proof that suggests the access or acquisition of patient data.

Galstan & Ward issued notifications to patients as a safety precaution given that it wasn’t possible to eliminate the probability of unauthorized access of PHI. In case the attackers got access to the dental software program, they potentially have viewed names, addresses, birth dates, Social Security numbers, and dental files.

The Galstan & Ward comprehensive substitute breach notice stated that it is now using cryptographic technology to secure patient information. More data security measures were added to its web server infrastructure. The practice also offered the affected persons free identity theft protection services via IDX.

Zoll Takes Legal Action Against IT Vendor for Breach of 277,000-Records

The US District Court in Massachusetts filed a legal action on behalf of the medical device supplier Zoll against its IT service vendor Barracuda Networks in Campbell, CA. Purportedly, Barracuda Networks was at fault for botching a server migration that led to the breach of the protected health information (PHI) of 277,139 individuals.

The breach concerned archived emails that were being moved to a new email storage service. A configuration problem led to the breach of those email messages for over 2 months between November 8, 2018 and December 28, 2020. The settings error was resolved, but Zoll did not get any notification concerning the breach until January 24, 2019. The breach investigation revealed that the exposed emails comprised the following patient information: names, contact details, birth dates, health data, and Social Security numbers for a number of patients.

Zoll partnered with a business called Apptix – presently known as Fusion Connect – in 2012 and signed a business associate agreement to deliver hosted business communication services. Apptix after that contracted with a firm named Sonian to give services that include email archiving. Barracuda Networks got Sonian in 2017.

Based on the lawsuit, Barracuda Networks found out about the email breach on January 1, 2019. The investigation showed that Barracuda Networks made an error that left a data port accessible to anyone, which compromised the email search feature of the migration tool on a small section of the directories. The port continued to be open for more or less 7 weeks before the error was found and the port was secured. While the port was accessible, an unauthorized person accessed email information and did repeated automated search of the archive.

A PHI breach of this type has consequences for patients. Impacted patients sustained injury and problems because of the disclosure and theft of their private and healthcare data. In April 2019, legal action was filed versus Zoll on behalf of individuals impacted by the breach. Zoll sought indemnity from Apptix; but, the business didn’t take action. The legal case has since been resolved.

Along with the settlement and legal charges sustained, Zoll spent internal and external sources for investigation and mitigation actions, sending of breach notification letters to impacted patients, and free access to solutions that take care of patients against loss and damage. The lawsuit attempts to get back those expenses from Baracuda Networks.

Zoll claims that Barracuda Networks was negligent for implementing sensible safeguards to take care of Zoll’s information and that Barracuda Networks failed to totally help with Zoll’s investigation. Zoll states that Barracuda Networks did not provide the investigators with access to its web platform and didn’t respond to lots of the investigators’ issues. Zoll mentioned that Barracuda Networks did not give information about the dates when patient information was compromised, the types of data exposed, and if the hackers exfiltrated any data.

The lawsuit says that Barracuda Networks did answer to the breach and put in place more safety measures, policies and procedures to avert identical occurrences later on, however, breached its responsibilities to apply reasonable protections before the breach to safeguard Zoll data. Zol likewise states a breach of implied warranty of merchantability, because the email archiving solution was warranted to be appropriate for safe email archiving, when security vulnerabilities granted unauthorized people to access sensitive archived information. Zoll moreover claims the email storage service was problematic and not in shape for the purpose and as a result, Barracuda Networks broke the intended guarantee for fitness for a specific reason.

Blackbaud SEC Filing Gives Additional Details on Data Breach and Expenditures of Mitigation

The number of entities submitting reports of being impacted by the Blackbaud cyberattack and security breach has increased in the past few weeks. The Department of Health and Human Services’ Office for Civil Rights breach site is regularly being kept up to date to record healthcare victims. The entities lately included are OSF HealthCare System, Geisinger and Moffitt Cancer Center. The three organizations reported that the breach has affected a total of 276,600 persons.

Though Blackbaud did not reveal the total number of affected people, no less than 250 healthcare providers, nonprofits, and educational bodies are acknowledged to have been affected. Reports of healthcare companies reveal that the breach impacted over 10 million people.

It is not shocking considering that the breach costs sustained by companies and the number of persons who had their personal data compromised, Blackbaud is looking at a lot of class action lawsuits. About 23 proposed class-action lawsuits were filed thus far in the U.S and Canada, based on its 2020 Q3 Quarterly Report given to the U.S. Securities and Exchange Commission (SEC). Of all the lawsuits, 2 were submitted in Canadian courts, 17 in the United States federal court, and 4 in state courts.

The lawsuits assert that victims have suffered hurt due to the breach and claim that there were a few regulations violations. Hence, the lawsuits want damages, injunctive relief, and attorneys’ fees, and close to 160 claims were obtained from Blackbaud’s clients from the U.S., Canada, and the U.K.

Besides the legal cases, regulators are investigating Blackbaud in relation to violations of data privacy laws violations. The investigating organizations are the Federal Trade Commission, the Department of Health and Human Services, and globally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. 43 state attorneys general and the District of Columbia likewise started a joint investigation.

As per the SEC records, Blackbaud has already sustained expenditures of more than $3.2 million in addressing the cyberattack from July to September 2020, and $3.6 million in expenses in the last 9 months. That number is countered by $2.9 million accumulated in insurance recoveries between July and September.

Costs is going to continue to accumulate in resolving the breach and though those expenditures are very likely to be sizeable. But Blackbaud says its cyber insurance protection will cover most of the breach costs.

While cyber insurance protection has actually paid for part of the expenses, there is no assurance that the plans will pay for all expenditures. The likelihood of loss can’t be established yet until a court has eventually decided that a plaintiff has fulfilled the pertinent class action procedural specifications.

In the meeting with financial analysts, Blackbaud mentioned that the forensic investigation discovered just how the hackers became successful in gaining access to its networks. The hackers took advantage of a vulnerability that was found in its early generation products that was repaired by now and steps were already undertaken to solidify security. Blackbaud furthermore mentioned that a huge amount of money was spent in cybersecurity and employees before the breach to prepare for this kind of an attack.

Blackbaud was able to contain the attack yet was unable to avoid the exfiltration of certain customer information. The organization paid the ransom to avert data exposure and is convinced that the payment stopped any more data exposures.

Most Microsoft 365 Admins Have Not Setup Multi-Factor Authentication

CoreView published a new report revealing that a lot of Microsoft 365 admins haven’t activated multi-factor authentication to keep their accounts secure from suspicious remote access and are unable to implement other fundamental security procedures. Based on the report, 78% of Microsoft 365 administrators have yet to activate multi-factor authentication while 97% of Microsoft 365 users aren’t using MFA.

This is a big security risk notably when almost all workers are remote. The IT departments should see this concern and correct it to be able to appropriately stop cyberattacks and fortify their organization’s security posture.

The SANS Institute mentions that 99% of data breaches are preventable by employing MFA, whilst Microsoft discussed in an August 2020 blog posting that MFA is the one particularly important measure to carry out to stop unauthorized account access, conveying that 99.9% of account breaches could be avoided by utilizing MFA.

The CoreView study furthermore showed that 1% of Microsoft 365 administrators tend not to use strong passwords, despite the fact that hackers are proficient at breaking passwords with automatic brute force attacks. Even if using strong passwords, there is no promise that a breach will be averted. A strong password provides no security in case a user fall victim to a phishing scam. In the event of stolen passwords, MFA gives security and should keep those passwords from being employed to obtain access to accounts.

The CoreView M365 Application Security, Data Governance, and Shadow IT Report pointed out that Microsoft 365 administrators are provided extreme control and they own access to valuable sensitive information. 57% of Microsoft 365 admins were identified to have substantial permissions to access, alter, and expose business-critical data. In addition, 36% of Microsoft 365 administrators are worldwide administrators. They acquire total command over their organization’s existing Microsoft 365 environment. 17% of Microsoft 365 admins are likewise Exchange admins and possess access to the entire company’s email accounts, as well as C-Suite accounts. In case Microsoft 365 admin accounts are compromised, cyber hackers can access the whole Microsoft 365 environment along with the big volumes of sensitive information. The Microsoft 365 environment doesn’t just consist of a large amount of quickly monetized data, the accounts are at the same time connected to other systems and can be utilized for a much larger attack on the company.

The study additionally showed that firms have spent greatly in productivity and operations programs that authorize personnel to communicate, work together, and work more proficiently, yet there has been a surge in shadow IT, specifically SaaS applications. SaaS programs are frequently employed by personnel without the IT department’s awareness. Many of those SaaS apps lack suitable security and let preventable cyberattacks to occur.

At a basic level, malicious applications can siphon off critical information. Users may furthermore likely be sharing sensitive firm data via these applications to compromised parties so that organizations are in considerable danger of a data breach. It’s crucial that companies adequately keep an eye on these programs for possible security gaps.

Businesses that use Microsoft 365 usually take their security and governance responsibilities too lightly, erroneously believing that Microsoft 365 is safe by default and has the needed protections to stop data breaches. Though Microsoft 365 can be protected, businesses need to be proactive and make sure that security is tackled, there is enough supervision of shadow IT, and appropriate data governance.

HITRUST Certification Shows LuxSci’s Dedication to Safeguarding Data Privacy and Security

LuxSci, a HIPAA-compliant email communications services provider located in Massachusetts, has publicized that it has obtained HITRUST CSF Certification.

The HITRUST Common Security Framework (CSF) is an extensive, certifiable system for companies that produce, access, save, or send sensitive and controlled information. The HITRUST CSF is made up of a prescriptive collection of scalable controls that validate various regulations and benchmarks, which include those of the ISO/IEC 27000-series and Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
With the incorporation of federal and state policies, criteria, and frameworks, and employing a risk-based tactic, the HITRUST CSF helps establishments deal with compliance problems and put into practice safety measures to be sure of the integrity, availability and confidentiality of sensitive data. HITRUST CSF Certification is the standard for security and the most frequently implemented cybersecurity system in the medical field.

LuxSci used the HITRUST CSF and carried out its guidelines and settings to all its units of servers that are utilized to send email, promotion, forms, SMS and web hosting solutions. LuxSci not long ago had a detailed third-party review alongside the HITRUST CSF regulations and was proven as having realized HITRUST CSF certified standing for data security.

Clients of service providers for instance LuxSci need clear data that their services are HIPAA compliant and employ the required measures to safeguard privacy and security. HITRUST CSF certification presents that proof.

Acquiring HITRUST CSF certification shows the top priority given to security by LuxSci, as per its CEO and President, Erik Kangas. Security is not realized with only a one-step procedure. The HITRUST CSF framework grows with the security setting and it is best to utilize it as a standard for calculating and handling security and compliance.

LuxSci is dedicated to making certain that its servers continue to be protected and customer information is continually protected. By using security recommendations, the company will make sure that it steadily preserves its HITRUST CSF Certification status and will support its customers to keep the best standard of security and compliance, by helping them address their specified business difficulties.

CISA Warns Companies to Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Vulnerability Immediately

On October 2020 Patch Tuesday, Microsoft issued a patch to resolve a critical remove code execution vulnerability found in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw is brought on by the method TCP/IP stack deals with Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The vulnerability was designated a CVSS v3 score of 9.8 out of 10.

Although all patches must be employed quickly to protect against exploitation, there is commonly a difference between the issuance of patches and the development of exploits for use offensively against companies; nevertheless, as a result of the severity of the vulnerability and the convenience at which to exploit it, patching this vulnerability is primarily essential. To the point that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) used Twitter to encourage all institutions to implement the patch without delay.

An attacker can take advantage of the vulnerability wirelessly in a Denial of Service attack, creating a ‘blue screen of death’ system crash; additionally, exploitation may enable the wireless execution of arbitrary code on the unsecured systems. To manipulate the vulnerability, an unauthenticated attacker only need to transmit uniquely designed ICMPv6 Router Advertisement to an unsecured Windows computer that is operating on Windows Server versions 1903 to 2004, Windows Server 2019 or
Windows 10 1709 to 2004.

Although there were no acknowledged exploits of the vulnerability in the wild, the vulnerability is going to be alluring to attackers. McAfee Labs said that a proof-of-concept exploit for the vulnerability was delivered to Microsoft Active Protection Program members stating it is “extremely simple and perfectly reliable.” Aside from being simple to exploit, the vulnerability is most likely wormable, thus attacking one system can readily see all the vulnerable units on the network compromised in the same manner.

McAfee Labs also referred to the vulnerability “Bad Neighbor” since it is hanging out in the ICMPv6 Neighbor Discovery “Protocol”, employing the Router Advertisement type, and is a result of the TCP/IP stack erroneously managing ICMPv6 Router Advertisement packets that employ Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If it isn’t able to patch quickly, mitigations should be carried out to lessen the opportunity for exploitation.

Microsoft urges administrators to deactivate ICMPv6 RDNSS to avoid exploitation. This could be done by using a basic PowerShell command:

netsh int ipv6 set int INTERFACENUMBER rabaseddnsconfig=disable

Nevertheless, this solution will turn off RA-based DNS configuration, hence could not be applied on network infrastructure that is based on RA-based DNS setup. In addition, this mitigating step is merely beneficial on Windows 10 1709 and newer versions.

Otherwise, it is likely to avert exploitation by turning off ipv6 traffic on the NIC or at the network perimeter, nevertheless, this is just achievable if ipv6 traffic is not important.

Breaches at Legacy Community Health Services, Georgia Department of Human Services and Einstein Healthcare Network

Legacy Community Health Services Phishing Attack Affects 228,000 Persons

Legacy Community Health Services in Texas is notifying 228,009 patients concerning a data breach of their protected health information (PHI). An unauthorized individual accessed the PHI kept in an email account.

Legacy Community Health Services detected the breach on July 29, 2020, which was triggered by an employee’s response to a phishing email that disclosed the login credentials to the hacker. The email account was secured promptly and a computer forensics agency investigated the incident.

There is no evidence found that suggests the attacker viewed e-mails or stole electronic PHI. Nevertheless, the likelihood of data theft couldn’t be fully eliminated. The data found in the exposed email account were patient names, dates of service, and health details connected to medical care at Legacy, in addition to the Social Security numbers of some patients. No-cost membership to a credit monitoring and identity protection services was provided to persons whose SSN was exposed.

Legacy Community Health Services has reinforced email security and the workers got retraining on identifying and steering clear of phishing emails.

Georgia Department of Human Services Uncovers Breach of A Number of Employee Email Accounts

Unauthorized individuals accessed the email accounts of a number of Georgia Department of Human Services staff. The email accounts contained the personal information and PHI of parents and children who were engaged in Child Protective Services (CPS) cases with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services discovered in August that the emails, which the attackers likely accessed contained personal information and PHI. The breach investigation uncovered that the unauthorized persons acquired access to the accounts between May 3, 2020 and May 15, 2020.

The types of data breached were different from one person to another and could have consisted of full names, names of family, relationship to the child obtaining services, county of residence, date of birth, age, DFCS case numbers, DFCS identification numbers, number of times contacted by DFCS, an identifier that tells if face-to-face contact was medically right, phone numbers, email addresses, Medicaid medical insurance identification number, Medicaid identification number, Social Security number, medical provider name, and visit dates.

Psychological reports, counseling notes, health diagnoses, and substance abuse data pertaining to 12 people were likewise included in the breached email accounts, in addition to the bank account information of one individual.

Phishing Attack on Einstein Healthcare Network

Einstein Healthcare Network based in Philadelphia, PA notified 1,821 of its patients about the potential access to some of their PHI by unauthorized people who obtained access to some employee email accounts. The provider discovered the email security breach on August 10, 2020. But according to the investigation, the attacker had accessed the email accounts from August 5 to August 17, 2020.

An analysis of the breached email accounts showed they held information such as patients’ names, birth dates, patient account or medical record numbers, and/or treatment or medical data, for instance, diagnoses, prescription drugs, healthcare providers names, types of treatment, or locations of treatment. The medical insurance data and/or Social Security number of some patients were likewise exposed.

It wasn’t possible to ascertain whether the attackers accessed or copied any emails, however since data theft can’t be eliminated, patients who had their Social Security numbers exposed were provided a free membership to credit monitoring and identity protection services for one year.

Einstein Healthcare Network provided its employees with further training on identifying and averting suspicious emails and took steps to enhance its email security.

Companies Facilitating or Making Ransomware Payments Could Face Sanction Risks

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has notified that firms that make ransom payments to hackers on behalf of attack victims may have to deal with sanctions risks for OFAC regulations violations. Ransomware attack victims that make ransom payments to cybercriminals could likewise face large fines from the federal government when it is learned that the attackers behind the attacks are previously with economic sanctions.

OFAC stated that ransomware payment demands has risen all through the COVID-19 outbreak as cyber hackers target internet systems that U.S. folks count on to do business. Firms that facilitate ransomware payments to threat actors on behalf of victims, which include financial establishments, cyber insurance agencies, and companies concerned in digital forensics and incident solution, not merely entice future ransomware payment demands but additionally may risk breaking OFAC rules.

OFAC sanctioned a lot of men and women engaged in ransomware attacks within the past few years:

  • Evil Corp and its boss, Maksim Yakubets, who are behind the Dridex malware
  • two Iranians assumed to be responsible for the SamSam ransomware attacks that commenced in late 2015
  • Evgeniy Mikhailovich Bogachev, who was known as the developer of Cryptolocker ransomware, first introduced in December 2016
  • the Lazarus Group from North Korea responsible for the May 2017 WannaCry 2.0 ransomware attacks

Paying ransom demands to sanctioned individuals or jurisdictions pose risks to U.S. national security pursuits. Facilitating a ransomware payment that is commanded because of malicious cyber activities might permit scammers and adversaries with a sanctions nexus to earn profit and boost their questionable purposes.

U.S. individuals are typically forbidden from having direct or indirect transactions, with people or organizations on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blacklisted people, and those included in the all-inclusive region or nation embargoes.

Civil monetary penalties may be enforced for sanctions violations, even when the man or woman violating sanctions did not know that they were carrying out a transaction with someone that is banned under sanctions laws and regulations implemented by OFAC. Any person facilitating or making ransom payments to sanctioned persons, organizations, or regimes could suffer a financial penalty of up to $20 million.

Numerous entities don’t tell about ransomware attacks or report them to law enforcement officials to stay away from damaging publicity and legal concerns, nevertheless by not reporting they are working against attack investigations by authorities. OFAC described in its warning that the financial intelligence and enforcement bureau will look at a company’s opportune and comprehensive report of a ransomware attack to law enforcement to be a considerable mitigating factor in pinpointing a good enforcement end result in case the situation is later on confirmed to have a sanctions nexus.

The announcement furthermore lists contact details for victims of ransomware attacks to learn when there are sanctions charged on cybercriminals, and whether or not payment of a ransom may include a sanctions nexus.

OFAC has cautioned against making ransom payment. Not only does it risk breaking OFAC rules, but it also doesn’t give assurance that the cybercriminals will give the valid keys, that the stolen records will be deleted, and the attackers would not demand an additional ransom. The payment of a ransom could also embolden cybercriminals to perform more attacks.

OFAC has just presented advice and made aware of sanctions risks in case payments are given to any threat actor. Apart from having a prohibition on paying a ransom, the attacks are most probably to continue because of being profitable. Only when the attacks aren’t profitable anymore will cybercriminals possibly stop doing attacks.

Premera Blue Cross HIPAA Penalty of $6.85 Million is the 2nd Largest HIPAA Violation Penalty Ever

The Department of Health and Human Services’ Office for Civil Rights (OCR) has required a $6.85 million HIPAA fine on Premera Blue Cross to settle the HIPAA violations uncovered during its investigation of a 2014 data breach regarding the electronic protected health information (ePHI) of 10.4 million people.

Premera Blue Cross in Mountainlake Terrace, WA is the major health plan within the Pacific Northwest and serves over 2 million people in Washington and Alaska. In May 2014, a state-of-the-art persistent threat group acquired access to Premera’s computer network and continued to be undetected for about 9 months. The hackers sent the health plan with a spear-phishing email that deployed malware. The malware enabled the APT group to access ePHI that include names, dates of birth, addresses, email addresses, Social Security numbers, bank account details, and health plan clinical data.

Premera Blue Cross uncovered the breach in January 2015 and notified OCR concerning the breach in March 2015. OCR began an investigation and found “systemic non-compliance” with the HIPAA regulations.

OCR learned that Premera Blue Cross was not able to:

  • Carry out a thorough and accurate risk analysis to find all risks to the integrity, confidentiality, and availability of ePHI.
  • Lessen risks and vulnerabilities to ePHI to a good and ideal level.
  • Use adequate hardware, software application, and procedural systems to log and examine activity relating to information systems that contain ePHI, prior to March 8, 2015.
  • Block unauthorized access to the ePHI of 10,466,692 persons.

Considering the nature of the HIPAA violations and the severity of the breach, OCR determined that a financial fine was just right. Premera Blue Cross resolved the HIPAA violation case with no liability admission. Aside from paying the HIPAA violation penalty, Premera Blue Cross consented to execute a corrective action plan to take care of all areas of non-compliance identified by OCR. Premera Blue Cross will be under close supervision by OCR for two years to make certain of its compliance with the CAP.

Roger Severino, OCR Director, said that in case big health insurance entities do not devote the time and effort to recognize their security vulnerabilities, be they technical or human, hackers definitely will. This situation clearly reflects the problems that result when attackers are granted to roam unnoticed in a computer system for approximately nine months.

Last year, Premera Blue Cross accepted to pay a $10 million HIPAA violation legal action due to the breach. 30 state attorneys general had reviewed the health plan and established that Premera Blue Cross failed to meet its requirements under Washington’s Consumer Protection Act and HIPAA. Premera Blue Cross furthermore agreed to resolve a $74 million lawsuit filed by people whose ePHI was disclosed in the breach.

The latest penalty is OCR’s second greatest HIPAA penalty required of a covered entity or business associate in connection to HIPAA violations. The biggest financial penalty is the $16 million imposed on Anthem Inc. because of a 2015 data breach that involved the ePHI of 79 million persons.

The fine is the 11th penalty to be reported by OCR in 2020. It is the 8th to be published this month. Thus far in 2020, OCR received $10,786,500 to resolve HIPAA violations uncovered during investigations of security breaches and HIPAA complaints.