Premera Blue Cross agrees to pay $10.4 million to Oregon, 29 states after massive data breach
Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10.4 million to 30 states following the investigation of a data breach that exposed confidential information of more than 10 million people, including 700,000 Oregonians.
The settlement, negotiated by the Oregon attorney general’s office and the other states, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.
Oregon will receive $1.3 million.
State officials said auditors had alerted Premera to the vulnerabilities in its system, including that it was slow to install software updates and security patches, but the company failed to fix them. They accused Premera, also known as LifeWise Health Plan of Oregon, of failing to meet its obligations to protect the data under the federal Health Insurance Portability and Accountability Act, known as HIPAA, and Washington's Consumer Protection Act.
“It’s horrifying to think that for nearly one entire year, a hacker had access to the sensitive health records and personal data of millions of Americans,” said Oregon Attorney General Ellen Rosenblum. “Companies must be held accountable for sloppy privacy practices that put the sensitive data of patients at risk. We simply must make it a priority to educate all Americans how to recognize suspicious emails and avoid getting hacked.”
On May 5, 2014, a hacker gained access to the Premera network by “spear-phishing” – using an email disguised as a communication from the company’s IT department. The email’s domain name was misspelled and included other obvious typos and the wrong physical address for the IT department — common signs of a spear-phishing attempt.
The fraudulent email asked the employee to enter user credentials to download a security update. In reality, the employee ended up downloading malware that provided the hacker with access to the company’s network.
During the breach, which lasted from May 2014 to March 2015, hackers had access to sensitive data, including medical records, bank account information and Social Security numbers, for more than 10 million people, the majority of them in Washington.
Premera is based in Mountlake Terrace, a suburb of Seattle. Premera Blue Cross subscribers from 2002 through early 2015, as well as patients insured through other Blue Cross companies who sought treatment in Washington or Alaska, were exposed in the breach.
Premera, which agreed to pay $5.4 million to Washington, also promised to implement data security controls, to annually review security practices and provide security reports to the Washington attorney general’s office.
Gloss