Premera will pay millions for data breach

Data breach negotiations with Premera Blue Cross have
concluded with the largest health insurance firm in the Pacific Northwest to
pay $10 million total, including $467,000 to Alaska, over its failure to secure
sensitive consumer data.

Alaska Attorney General Kevin Clarkson said that Premera failed
to meet its obligations under the federal Health Insurance Portability and
Accountability Act (HIPAA) and violated the state consumer protection act by
not addressing known cybersecurity vulnerabilities that gave a hacker
unrestricted access to protected health information for nearly a year.

Clarkson’s office said on July 11 that Premera’s
insufficient data security exposed protected information of over 10.4 million
consumers nationwide to a hacker.

“It would be one thing if Premera had quickly notified
individuals or tried to improve its security measures when it was alerted to
the issues,” Clarkson said. “Instead, Premera continued to downplay the harm
and tried to convince consumers their information was still safe.”

According to Assistant Attorney General John Haley the
$467,000, which will go into the state’s general fund, more than covers the
state’s legal costs in this case.

Meanwhile a $32 million preliminary settlement has been
reached in Oregon courts in a related national class action lawsuit. Most of
the individuals whose data was hacked live in Washington, Oregon, California
and Alaska, and will be notified once the settlement is finalized, Haley said.

A coalition of 30 states, led by Washington State Attorney
General Bob Ferguson, conducted the investigation. Premera’s $10 million
payment is in addition to any payment from the proposed class action
settlement, which was filed in federal court in Oregon, but not yet finalized
by the court. Premera is also required to implement specific data security
controls intended to protect personal health information, annually review its
security practices and provide data security reports to the attorneys general.

Clarkson’s office said that from May 5, 2014 until March 6,
2015 a hacker had access to the Premera network containing sensitive personal
information, including private health information, Social Security numbers,
bank account information, names, addresses, phone numbers, dates of birth,
member identification numbers and email addresses.

Under HIPPA, Premera is required to implement
administrative, physical and technical safeguards that reasonably and
appropriately protect sensitive consumer information.

The settlement stipulates several requirements of Premera,
including regularly assessing and updating its security measures and hiring a
chief information security officer experienced in data security and HIPAA
compliance, with responsibility for implementing, maintaining and monitoring
the company’s security program.

Comments are closed.