Premera Blue Cross (Premera) has agreed to settle with the Office for Civil Rights (OCR) for $6.85 million over allegations of violations of HIPAA after an investigation of a data breach that occurred in 2014 affecting 10.4 million individuals. This is the largest settlement the OCR has entered into with a covered entity in 2020, and the second largest in history (second only to Anthem, which settled with the OCR for $16 million in 2018 for a data breach that occurred in 2015).

Premera self-reported to the OCR on March 17, 2015, that cyber-attackers infiltrated its IT system through a phishing campaign in May 2014, which went undetected until January of 2015. The attack, an advanced persistent threat, compromised the protected health information of 10.4 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information and clinical information.

Following an investigation, the OCR alleged that Premera failed both to conduct an enterprise-wide security risk analysis and to implement risk management measures or audit controls.

In addition to the payment of the settlement amount, Premera entered into a Corrective Action Plan to implement security measures, including conducting a risk analysis and developing and implementing a risk management plan, and revising its privacy and security policies.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.