Back to GDPR violation

GDPR violation

Premera Blue Cross to pay $10 million for HIPAA violation.

In July 2019, Washington-based Premera Blue Cross, a not-for-profit health care organization, agreed to pay $10 million as a settlement for violating the Health Insurance Portability and Accountability Act (HIPAA) compliance regulation. A data breach that occurred in 2014 exposed medical and financial data of 10 million users.

What happened?

On May 5, 2014, an attacker gained entry into the network and remained undetected until March 2015. The hacker managed to siphon off member information such as the names, contact information, dates of birth, member ID numbers, and Social Security numbers. It was later determined that the hacker exploited the security protocol vulnerabilities to enter the network.

Washington State Attorney General Bob Ferguson investigated the company’s practices following the 2014 health data breach and confirmed that the company failed to meet the security standards of HIPAA. It was revealed that cybersecurity experts warned Premera before the breach about addressing its security loopholes, but it failed to do so.

The multi-state settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.

Apart from the financial penalty, Premera was also directed to implement strict security controls, hire a third-party cybersecurity provider to review its security efforts, and send regular reports to the state Attorney General's Office.

If you want to avoid making the news for the wrong reasons, consider getting a network security and log management tool like ManageEngine Log360 to help combat internal and external security attacks.

How ManageEngine can help:

HIPAA mandates the standards organizations need to follow to protect and maintain the confidentiality of personally identifiable health care information. ManageEngine Log360, a comprehensive log management solution, helps IT security admins meet HIPAA requirements by monitoring and auditing access to critical data. This solution identifies and tracks suspicious insider activity as well.

Log360 provides out-of-the-box reports with exhaustive information on data access, user activity, user logon and logoff activity, and more. With Log360 reports, you can draw meaningful insights on accesses, modifications, and permissions of critical files to help mitigate insider threats. This solution also generates real-time email or SMS alerts for instant notifications about any compliance violations. Using Log360, you can:

  • Monitor, audit, and report on all data accesses to identify anomalies, and ensure no unauthorized changes to protected health information (PHI) take place.
  • Utilize customizable, built-in capabilities for alerts to audit file and folder regularly-related activities.
  • Get detailed information on user logon and logoff activity, such as the username, date and time, reason for the logon failure, and more.
  • Detect and respond to mass file accesses with customizable, automated responses.
  • Identify local system processes such as system startups, shutdowns, or changes to the system time or audit logs using preconfigured reports.
  • Securely archive audit log data so it can be loaded back to the database at any time, and conduct forensic analysis to identify the root cause of any unauthorized attempts.

Ready to get started? Download a free trial version of Log360 to test these features out yourself.


Stay In The Know

Thank you

You will receive weekly cybersecurity news soon!

  • Please enter a business email id
    By clicking 'I'm Interested', you agree to processing of personal data according to the Privacy Policy.

2022 Zoho Corporation Pvt. Ltd. All rights reserved.