Up to 11M Affected By Premera Health HIPAA Breach

The healthcare industry has been hit hard by HIPAA breaches in recent months, with February’s data breach at Anthem the largest to date; however news has just broken that another insurer, Premera Blue Cross, has also been hit by hackers, in what has been described as the largest ever breach of healthcare information.

This successful hack potentially compromised the records of up to 11 million individuals. (The Anthem data breach of last month was the largest HIPAA breach ever recorded, although no health information was obtained by hackers in that incident.)

The hack has been described as being highly sophisticated in nature, with the initial access to data now determined to have occurred on Mar 5, 2014. The data exposed includes personal identifiers, medical histories and financial data, including plan member – and applicant – names, dates of birth, postal addresses, email addresses, Social Security numbers, bank account details, clinical information and details of medical insurance claims; according to a news report from Reuters.

The data that has potentially been compromised is not restricted to Premera Blue Cross. Premera Blue Cross Blue Shield of Alaska and its affiliate brands – Connexion Insurance Solutions and Vivacity – are also likely to be affected. According to a statement released by Premera Blue Cross, the breach also affects “Individuals who do business with us and provided us with their email address, personal bank account number or social security number.”

The breach also potentially affects any Premera Blue Cross members who sought or received treatment in Washington or Alaska, and according to Reuters, up to 6 million accounts of employees of Amazon.com, Microsoft and Starbucks, although other victims are spread across all 50 states.

The initial attack took place over a year ago, yet it took until January 29, 2015 for the hack to be uncovered, with Premera discovering the HIPAA breach on the same day that Anthem Inc., announced a potential 80M-record breach. According to a Primera spokesperson, the breach is not believed to be linked to the one at Anthem in spite of some similarities. According to Primera, it discovered the breach during a routine audit of its own computer systems.

Breach Notification Letters Issued

Under the HIPAA Breach Notification Rule, covered entities are permitted up to 60 days to report a breach of unencrypted healthcare data – or personal identifiers – to the Department of Health and Human Services’ Office for Civil Rights. It is also required to notify all affected individuals in writing during the same timeframe.

The insurer has now started sending breach notification letters to all concerned, but for a breach on this scale it is likely to take some days before all correspondence is dispatched, although the company has started issuing notifications in time to avoid a HIPAA violation.

Companies must also take responsibility for the unauthorized disclosure of PHI, and need to take action to mitigate any damage caused. In accordance with HIPAA Rules, the insurer will be offering all affected individuals two years of identity theft protection and credit monitoring services.

President and CEO, Jeff Roe, made a personal statement advising all individuals affected by the incident that the company takes the privacy of its members seriously and that he understands the frustration and concern that is likely to be caused.

“As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward,” Roe went on to say that “All of us here at Premera have been affected by this attack and we understand and share your concerns. Please know that we’re committed to making sure you get the tools and assistance you need to help protect you.”

Investigations into the HIPAA Breach Continue

The breach has been known for 6-weeks; however investigations are continuing into how the hackers were able to gain access to the insurer’s computer systems. Little information has been released so far detailing the exact nature of the attack, although at this stage it appears that none of the data has been “used inappropriately”.

What is of particular concern is the extent of the data exposed in the attack. Previous hacking attempts on other insurers and healthcare providers, including the last two major data breaches at Anthem and Community Health Systems, are not understood to have involved financial information or medical records.

This breach did include that data, which carries a high value to thieves. While medical and identity theft can be committed with just Social Security numbers and personal identifiers, when healthcare data is also exposed it allows thieves to “perpetrate really in-depth medical fraud” according to Dave Kennedy, Chief Executive of TrustedSEC LLC. Kennedy was consulted by Reuters about the data breach and explained that “”Medical records paint a really personal picture of somebody’s life and medical procedures.” This information can be used by thieves to obtain millions of dollars through Medicare and Medicaid fraud.

The hacking incident has been reported to the FBI, which is understood to be conducting an investigation to try to identify the individuals responsible and the insurer has also hired a private company, FireEye Inc, to conduct a full investigation.

According to Kennedy, “I think other insurance providers are compromised today and we still don’t know it. More and more are going to disclose attacks.” When other insurers, healthcare providers and healthcare clearinghouses conduct audits of their own computer systems, many are likely to discover that they have been affected by data breaches and that hackers have access to, and are using, their plan members and patients information to commit fraud.

It is not yet clear if the hack was made possible due to a lack of appropriate technical safeguards to protect plan member’s PHI and financial information, or whether Premera Blue Cross could have taken action prior to the breach to prevent access from being gained. This information is likely to emerge over the coming weeks and months, and the Office for Civil Rights is likely to take an interest in the incident.

One aspect of the breach that appears to indicate the HIPAA Security Rule has been violated is the time it took for the insurer to identify that its systems had been compromised. In the current climate, with healthcare providers and insurers under an increased threat from hackers, an annual check of the integrity of computer systems is not sufficient. The Security Rule requires covered entities to implement audit controls to monitor, record and examine all ePHI activity and ensure the integrity of PHI is maintained.

It may not be possible to prevent cyber attacks, but it is possible to limit the damage caused. If Premera Blue Cross is found to have been responsible for the breach – for not implementing the appropriate safeguards to protect the PHI it holds on its plan members – the Office for Civil Rights is likely to issue a substantial fine. The penalty for willful neglect is a minimum of $50,000 per violation, rising to $1.5 million per violation category, per year.

The insurer will also have to cover the cost of sending 11 million breach notification letters by first class mail, provide credit monitoring and protection services and may face civil class action lawsuits from victims seeking damages.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.