Premera Blue Cross Settles for $10 Million with 30 State Attorney Generals

Premera Blue Cross has agreed to a $10 million settlement to resolve lawsuit involving 30 state attorneys general for a 2014 data breach which compromised 10.4 million records.

A hacker compromised Premera Health’s network on May 5, 2014, and had access until March 6, 2015. During this time, the hacker could access highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers.

Premera Health record’s included information on individuals from Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington. The Attorney General of each of the aforementioned states participated in the lawsuit.

Washington State Attorney General Bob Ferguson led the investigation. Experts undertook a careful analysis of the security vulnerabilities that had been exploited by the hacker. Premera Health’s policies and procedures were also scrutinized to understand why it took nearly a year for the organization to detect the hacker.

The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires all HIPAA-covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). The investigators determined that Premera Health violated HIPAA by failing to meet minimum standards for security.

Its own auditors had repeatedly told Premera Health that its security program was inadequate. They failed to act on this advice, making the breach even more egregious.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said New Jersey Attorney General Gurbir S. Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

In addition to the financial penalty, Premera Blue Cross is required to implement further security controls to ensure the electronically protected health information of its plan members is better protected.

A third-party cybersecurity expert must also conduct annual cybersecurity reviews. The reports produced by the experts must be sent to the attorneys general.

Premera Blue Cross must also hire a CISO with experience in HIPAA compliance and data security who will be responsible for implementing and maintaining Premera Health’s security program. The CISO is required to attend regular meetings with executive management and must meet with the CEO at least every 2 months. The CISO is also required to report any network breaches within 48 hours of discovery.

Last month, Premera Blue Cross agreed to pay $74 million to settle a class-action lawsuit filed by plan members affected by the breach.