Premera Reaches $10M Settlement with 30 States Over 2014 Data Breach
July 12, 2019 - One month after settling with its data breach victims, Premera Blue Cross signed a $10 million settlement with 30 states after a 10-month hack on its system breached the data of 10.4 million patients.
Washington Attorney General Bob Fergusen led an investigation into the breach, which was discovered by Premera officials in January 2015. However, the hack began in May 2014 and went undetected for 10 months.
Ferguson’s team found that Premera failed to meet HIPAA obligations and violated state consumer laws, including the Washington State Consumer Protection Act, when it did not address known cybersecurity vulnerabilities
According to Ferguson, Premera ignored repeat warnings from cybersecurity leaders and its own auditors about its inadequate security: “the company accepted many of the risks without fixing its practices.”
The insurer misled consumers about its privacy practices before and after the data breach was detected and announced, when officials told the public “there were already significant security measures in place to protect your information,” Ferguson said.
Patients from Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions were impacted. In total, 10.4 million patients saw a trove of their personal data breached by the hack, from demographic details to bank account numbers, Social Security numbers, and clinical data.
Those patients filed a lawsuit soon after the breach was announced, and in June, Premera reached a $74 million settlement with the victims. Announced on Thursday, the $10 million payment to the 30 states will be in addition to the class-action settlement.
Under the settlement, Premera will pay $5.4 million to Washington and $4.6 million to the remaining 29 states.
In addition to the monetary penalty, Premera is required to ensure its data security program is adequate to protect health data as required by law. The settlement also mandates that the insurer regularly assess and update its security, map where HIPAA-protected data is located on its network, and provide security reports completed by an outside security firm that must be approved by the 30-state coalition.
Further, the settlement requires Premera hire a chief information security officer, separate from its chief information officer, who will be tasked with data security, HIPAA compliance, and managing the insurer’s security program.
Premera must also hold regular meetings between the CISO and the executive management, including a meeting between the CISO and CEO that must be held every two months. Any unauthorized access to the network must also be reported to the CEO within 48 hours.
Lastly, the insurer must create a compliance program and hire a compliance officer with a HIPAA background, and provide security training to all employees who handle PHI.
The multi-state agreement includes Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.
“Premera had an obligation to safeguard the privacy of millions of Washingtonians—and failed,” Ferguson said in a statement. “Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers' sensitive health information was at risk.”
“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said New Jersey Attorney General Gurbir Grewal, in a statement. “Companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”
Premera joins a growing list of breached providers fined by state attorneys general, which have cracked down on security incidents in recent years. Most recently,Aetna and the vendor behind a 2016 Virtua Healthcare data breach have settled with states over separate data breaches.
And in May, Medical Informatics Engineering reached a $900,000 settlement in the country's first federal multistate lawsuit, over a 2015 data breach that impacted 3.5 million patients.
Gloss