Enter to open, tab to navigate, enter to select
Cyber-Attackers' Theft of Over Ten Million Individuals' PHI Leads to $6.85 Million HIPAA Settlement
Practical Law Legal Update w-027-6404 (Approx. 5 pages)
Cyber-Attackers' Theft of Over Ten Million Individuals' PHI Leads to $6.85 Million HIPAA Settlement
by Practical Law Employee Benefits & Executive Compensation
| Published on 28 Sep 2020 • USA (National/Federal) |
The Department of Health and Human Services (HHS) has announced a settlement of potential security-oriented violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with a Washington-based health plan—a HIPAA covered entity (CE) and business associate (BA). Under the agreement, the plan must pay $6.85 million to HHS and comply with a two-year corrective action plan (CAP).
On September 25, 2020, HHS issued a resolution agreement and related press release announcing a settlement with a Washington-based health plan and insurer (a HIPAA covered entity (CE) and business associate (BA)) for potential violations of the HIPAA Privacy and Security Rules (see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Notes, HIPAA Privacy Rule and HIPAA Security Rule). Under the agreement, the plan must:
- Pay $6.85 million to resolve the action.
- Comply with a two-year corrective action plan (CAP).
PHI of Over Ten Million Individuals Stolen in Cyber Attack
In March 2015, the health plan submitted a breach report to HHS, indicating that cyber-attackers had gained access to its system in May 2014 through a phishing email that installed malware on the plan's system—which in turn permitted access to the plan's network. The attack lasted from May 2014 until January 2015 and resulted in the impermissible disclosure of the electronic protected health information (ePHI) of more than 10.4 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, and banking and health plan information.
HHS's investigation revealed that the plan failed to:
- Conduct an accurate and thorough assessment of the risks and vulnerabilities concerning the ePHI in its possession.
- Implement sufficient security procedures to adequately reduce the risks and vulnerabilities to its ePHI.
- Implement adequate hardware, software, or procedural mechanisms to record and review activity on its information systems containing ePHI until March 2015.
- Prevent unauthorized access to the ePHI of more than 10.4 million individuals that was stored on its network.
Corrective Action Plan Focuses on Security Rule Compliance
In addition to the $6.85 million payment, the health plan must comply with a CAP that imposes obligations concerning risk analysis and risk management, HIPAA policies and procedures, and reporting violations of its policies and procedures.
Risk Analysis and Risk Management
The CAP requires the plan to:
- Perform an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI in its possession (see Article, HIPAA Compliance and the Limits of Gap Analyses).
- Create and adopt an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
- Annually review and, if necessary, revise the risk analysis and corresponding risk management plan.
The plan must submit its risk analysis and risk management plan to HHS for approval.
HIPAA Policies and Procedures; Minimum Content Requirements
The CAP also requires the plan to revise its HIPAA policies and procedures. The revised policies and procedures must address the following Security Rule provisions:
- Risk analysis and risk management.
- Information system activity review.
- Access and audit controls (see Practice Note, HIPAA Security Rule: Audit Controls).
- Integrity of ePHI.
- Person or entity authentication (see Practice Note, HIPAA Security Rule: Person or Entity Authentication).
- Transmission security.
In addition, the plan must:
- Submit the revised policies and procedures to HHS for approval.
- Once approved, adopt and distribute the revised policies and procedures to workforce members.
- Review and, if necessary, revise the policies and procedures annually.
Reportable Events
Under the CAP, the plan must promptly investigate reports that a workforce member has violated its HIPAA policies and procedures. If an investigation reveals that a workforce member has materially violated the plan's policies and procedures (referred to in the CAP as a reportable event), the plan must notify HHS in writing, including:
- A description of the reportable event, including the role of the workforce member involved and the relevant policy provision that was violated.
- A description of the plan's mitigation efforts, any steps it plans to take to prevent future violations, and sanctions imposed, if any.
Practical Impact
This settlement between HHS and the insurer of the largest health plan in the Pacific Northwest (Premera Blue Cross) is in addition to a $10 million settlement involving this breach that was secured by state attorneys general in July 2019 (see Practice Note, HIPAA Enforcement: Settlement Agreements: Litigation by State Attorneys General and Legal Update, State Attorneys General Secure $10 Million Settlement in Multistate HIPAA Data Breach Lawsuit). According to HHS, the payment is the second-largest ever to resolve a HIPAA settlement. (Regarding the largest breach in HHS history, see Legal Update, Anthem's $16 Million HIPAA Settlement Is Largest in History.)
This latest settlement is also the third in the past several days originating from hacker and cyber-attacker activity—all of which have resulted in payments measuring in the millions and underscoring the seriousness of HIPAA compliance efforts, particularly regarding the Security Rule. (For more information, see Legal Updates, Hacker's Theft of Over Six Million Individuals' PHI Leads to $2.3 Million HIPAA Settlement and Hacker Group's Impermissible Access to ePHI Leads to $1.5 Million HIPAA Settlement.)