Premera Blue Cross to pay $10M to 30 states over 2014 data breach

Premera Blue Cross, the largest health insurance company in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.

The $10 million settlement was negotiated with the Washington attorney general’s office and filed in state court Thursday.

Washington State Attorney General Bob Ferguson led a coalition of 30 state attorneys general investigating the company’s practices following the 2014 health data breach that affected 10.4 million individuals nationwide and 6.4 million Washington state residents.

The settlement comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit (PDF) on behalf of affected customers, according to the Associated Press.

Premera will pay $5.4 million of the total recovery to the Washington State Attorney General’s Office, which will go toward continued enforcement of state data security and privacy laws, and nearly $4.6 million to the coalition of states that joined Ferguson’s legal action, according to the consent decree (PDF), filed in state court.

Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court, according to the attorney general's press release.

The consent decree legally requires Premera to implement specific data security controls to protect personal health information, annually review its security practices and provide data security reports to the Washington State Attorney General’s Office.

RELATED: Third medical testing company impacted by AMCA breach as Congress seeks answers

For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera about the vulnerabilities within its system including inadequate patching management but the company failed to fix the problems, according to Washington State's complaint (PDF) against Premera.

The states accuse Premera of failing to meet its obligations under the federal Health Insurance Portability and Accountability Act and Washington State's Consumer Protection Act by not addressing known cybersecurity vulnerabilities that gave a hacker access to protected health information for almost a year.

“Premera had an obligation to safeguard the privacy of millions of Washingtonians—and failed,” Ferguson said in a statement. “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers' sensitive health information was at risk.”

The hacker took advantage of multiple known weaknesses in Premera’s data security, according to the states.

During the breach, which lasted from May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses, according to the complaint.

RELATED: Plaintiffs in data-breach case say Premera destroyed computer that contained evidence of hacking

Patients whose data was exposed include all Premera Blue Cross subscribers from 2002 through early 2015, as well as patients insured through other Blue Cross companies who sought treatment in Washington or Alaska, according to the Associated Press.

The states accuse Premera of misleading Washingtonians and other consumers nationwide about its privacy practices before and after the data breach. 

After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused," according to the complaint. Premera also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach, the states claim.

The consent decree filed in state court on Thursday requires Premera to take a number of steps to strengthen its cybersecurity program including regularly assessing and updating its security measures, creating a compliance program and hiring a compliance officer with a background in HIPAA compliance and providing security training to all employees who handle personal information and protected health information.

RELATED: Medical imaging company to pay $3M to settle HIPAA breach impacting 300K patients

Premera also is required to hire a chief information security officer who will hold regular meetings with Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery, according to the consent decree.

In the federal class-action lawsuit filed against Premera Blue Cross over the data breach, plaintiffs accused the insurer of destroying a computer containing evidence of the hacking after they filed their complaint.

The settlement in the federal class-action requires Premera to pay for two years of credit monitoring on behalf of its customers. It also offers them up to $50 to $100 for subscribers in California—plus reimbursement of documented out-of-pocket expenses related to the breach, the Associated Press reported.

Comments are closed.