Premera Blue Cross, the largest health insurance company in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.
The $10 million settlement was negotiated with the Washington attorney general’s office and filed in state court Thursday.
Washington State Attorney General Bob Ferguson led a coalition of 30 state attorneys general investigating the company’s practices following the 2014 health data breach that affected 10.4 million individuals nationwide and 6.4 million Washington state residents.
Premera will pay $5.4 million of the total recovery to the Washington State Attorney General’s Office, which will go toward continued enforcement of state data security and privacy laws, and nearly $4.6 million to the coalition of states that joined Ferguson’s legal action, according to the consent decree (PDF), filed in state court.
Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court, according to the attorney general's press release.
The consent decree legally requires Premera to implement specific data security controls to protect personal health information, annually review its security practices and provide data security reports to the Washington State Attorney General’s Office.
For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera about the vulnerabilities within its system including inadequate patching management but the company failed to fix the problems, according to Washington State's complaint (PDF) against Premera.
The states accuse Premera of failing to meet its obligations under the federal Health Insurance Portability and Accountability Act and Washington State's Consumer Protection Act by not addressing known cybersecurity vulnerabilities that gave a hacker access to protected health information for almost a year.
“Premera had an obligation to safeguard the privacy of millions of Washingtonians—and failed,” Ferguson said in a statement. “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers' sensitive health information was at risk.”
A Premera spokeswoman said in a statement, "We are pleased to have reached an agreement with state attorneys general to resolve legal inquiries into the 2014 cyberattack on our data network. The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information."
"Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015," the company spokeswoman said. " It is important to note that independent investigators have made no determination that any customer information was removed from Premera’s systems."
The hacker took advantage of multiple known weaknesses in Premera’s data security, according to the states.
During the breach, which lasted from May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses, according to the complaint.
Patients whose data was exposed include all Premera Blue Cross subscribers from 2002 through early 2015, as well as patients insured through other Blue Cross companies who sought treatment in Washington or Alaska, according to the Associated Press.
The states accuse Premera of misleading Washingtonians and other consumers nationwide about its privacy practices before and after the data breach.
After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused," according to the complaint. Premera also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach, the states claim.
The consent decree filed in state court on Thursday requires Premera to take a number of steps to strengthen its cybersecurity program including regularly assessing and updating its security measures, creating a compliance program and hiring a compliance officer with a background in HIPAA compliance and providing security training to all employees who handle personal information and protected health information.
Premera also is required to hire a chief information security officer who will hold regular meetings with Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery, according to the consent decree.
In the federal class-action lawsuit filed against Premera Blue Cross over the data breach, plaintiffs accused the insurer of destroying a computer containing evidence of the hacking after they filed their complaint.
Under the terms of the proposed settlement in the federal class-action requires Premera will pay $32 million to resolve the litigation and two years of credit monitoring identity protection services, out-of-pocket losses, and cash payments to all class members who make a claim. The company also will pay $42 million in funding for its information security program over the next three years.
In a statement about the proposed settlement to the federal class-action lawsuit, Premera’s executive vice president and chief information officer Mark Gregory said, "We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack."
The company recently achieved HITRUST certification, Gregory said. The settlement does not include any finding of wrongdoing, and Premera is not admitting any wrongdoing or that any individuals were harmed because of the cyberattack, the company said.