Back to Cases
cybersecurityHealthcare · 2020
Premera Blue Cross
Premera Blue Cross agreed to pay $6.85 million to HHS OCR following a 2014 cyberattack that exposed the protected health information of 10.4 million individuals, including clinical and financial information. HHS OCR found systemic HIPAA non-compliance including failure to conduct an accurate and thorough risk analysis and failure to implement information system activity review — critically, a third-party security audit had identified the vulnerabilities later exploited by attackers several months before the breach occurred, but remediation was not completed in time.
Fine Imposed€6.3M
Authority
HHS-OCR-US
Regulation
Key Takeaways
- Documented identification of security vulnerabilities that are subsequently exploited in a breach substantially increases regulatory exposure — awareness of risk without corresponding timely remediation is treated as aggravated HIPAA non-compliance by HHS OCR.