Premera to pay $10M to settle state suits on breach
Health insurer Premera Blue Cross Blue Shield will pay $10 million to settle a suit brought against the company by Washington Attorney General Bob Ferguson.
The health plan, in the Pacific Northwest, in 2015 discovered a huge data breach affecting 10.4 million members.
Some 29 other state attorneys general have joined the suit. Premera will pay $5.4 million in recovery costs to the Washington State Attorney General’s Office to fund continued enforcement of state data and privacy laws, plus another $4.6 million to the other states.
But the bill will get much higher, as Premera further will spend as much as $74 million to settle a federal class action suit for members affected by the breach and take significant actions to better protect personal health information.
From May 5, 2014, until March 6, 2015, a hacker had unauthorized access to the Premera network, which held at least 10 sensitive types of personal information.
For years prior to the breach, cybersecurity professional and Premera’s own auditors repeatedly warned the company of issues with its cybersecurity, but fixes were not made, according to Attorney General Ferguson’s complaint. After the breach was disclosed, Premera’s call center agents told members there was no reason to believe that their information was at risk.
“Premera had an obligation to safeguard the privacy of millions of Washingtonians and failed,” Ferguson says. “As a result, millions had their sensitive data exposed.”
The consent decree includes nine steps the organization must successfully complete. Among them are mapping where protected health information is located on the Premera network; hiring a chief information security officer separate from the chief information officer; holding regular meetings between the CISO and executive management; hiring a HIPAA compliance officer; and providing security training to all employees handling protected health information.
The consent decree is available here.