Premera Blue Cross (Premera) has agreed to settle with the Office for Civil Rights (OCR) for $6.85 million over allegations of violations of HIPAA after an investigation of a data breach that occurred in 2014 affecting 10.4 million individuals. This is the largest settlement the OCR has entered into with a covered entity in 2020, and the second largest in history (second only to Anthem, which settled with the OCR for $16 million in 2018 for a data breach that occurred in 2015).

Premera self-reported to the OCR on March 17, 2015, that cyber-attackers infiltrated its IT system through a phishing campaign in May 2014, which went undetected until January of 2015. The attack, an advanced persistent threat, compromised the protected health information of 10.4 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and clinical information.

Following an investigation, the OCR alleged that Premera failed both to conduct an enterprise-wide security risk analysis and to implement risk management measures or audit controls.

In addition to the payment of the settlement amount, Premera entered into a Corrective Action Plan to implement security measures, including conducting a risk analysis and developing and implementing a risk management plan, and revising its privacy and security policies.