On September 25, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $6.85 million settlement with health insurance company Premera Blue Cross regarding a data breach that affected over 10.4 million people.
In May 2014, hackers used a phishing email to install malware on Premera’s IT system and steal patient protected health information (PII) until the breach was discovered in January 2015. The OCR investigation found systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, which will be resolved as part of a corrective action plan included in the settlement agreement.