The Office for Civil Rights (OCR) in the US Department of Health and Human Services (HHS) announced that Premera Blue Cross has agreed to pay USD6.85 million and to implement a corrective action plan to settle potential violation of the Health Insurance Portability and Accountability Act (HIPAA) privacy rules related to a data breach incident that had affected over 10.4 million people. The resolution is the second largest payment to resolve a HIPAA investigation in the OCR history. The company is the largest health plan in the Pacific Northwest of the USA. The data breach was reported by Premera Blue Cross on behalf of itself and its network of affiliates in March 2017, stating that cyber attackers had gained unauthorised access to its IT system. The hackers used a phishing email to penetrate malware that granted them access to the company's IT system in May 2014, which left undetected for almost nine months until January 2015. The undetected cyberattack, also known as an advanced persistent threat, caused the disclosure of more than 10.4 million individuals' protected health information, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. The OCR's investigation discovered that the company's IT system was not compliant with the HIPAA rules and the company had failed to conduct an enterprise-wide risk analysis, implement risk management, and undertake audit controls.