Printer Friendly, PDF & Email

Failure to Plug Security Gaps Leads to Large OCR Settlements for Premera, CHSPSC

A large covered entity and a CE-affiliated business associate (BA) each paid multimillion-dollar settlements and agreed to two-year corrective action plans following prolonged cyberattacks that resulted in huge breaches.

The payments—$6.85 million from insurer Premera Blue Cross over a 2015 data breach[1] and $2.3 million from CHSPSC LLC,[2] an affiliate of Community Health Systems Inc., over a 2014 data breach—came as part of a flurry of breach settlements from the HHS Office for Civil Rights (OCR) in September.

At the same time as the OCR settlements, Anthem Inc. reached a $39.5 million settlement with 43 state attorneys general over a 2014 data breach, in which it also agreed to implement comprehensive security measures.[3]

In both the Premera case and the CHSPSC case, OCR found what it termed systemic longstanding issues of noncompliance with the HIPAA security rule. In Premera’s case, the insurer had been warned about security issues but failed to take action, OCR said, while in CHSPSC’s case, the company had received a warning from the FBI about a potential hack, but failed to step in quickly to stop it.

This document is only available to subscribers. Please log in or purchase access.