$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China.

Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon.

The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members.

Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the breach.

Most of the fund will cover the cost of an additional two years of credit monitoring and identity theft protection services. Victims of the data breach will also be able to claim back provable out-of-pocket expenses relating to the breach and can claim for the time spent remedying issues related to the breach.

A cash payment of up to $50 will be available to individuals who do not submit out-of-pocket expenses claims and up to $50 can be claimed as compensation by California residents under the California Confidentiality of Medical Information Act. The fund will also cover attorneys’ fees and administrative and notification costs.

The remaining $42 million will be invested by Premera Blue Cross in its information security program over the next three years. Some of the measures that Premera Blue Cross will be implementing are encryption for sensitive types of personal information, improved data security controls, annual third-party security audits, enhanced network logging and monitoring, and the migration of certain data into archived, secure databases with strict access controls. Premera Blue Cross will also be strengthening its passwords, enhancing email security, and will reduce employee access to sensitive data.

Premera Blue Cross has already taken steps to improve security and has recently achieved HITRUST certification. HITRUST certification demonstrates the ability of the company to identify risks, protect data, detect cyberattacks, and respond to data breaches.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts,” said Premera’s Executive Vice President and Chief Information Officer, Mark Gregory. “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack.”

The settlement agreement will resolve the litigation with no admission of wrongdoing by Premera Blue Cross nor any acceptance that harm has been experienced by victims of the breach.

“This is a great result that will provide real and meaningful relief to the class,” said Keith Dubanevich, interim liaison counsel for the plaintiffs. A motion for preliminary approval has already been filed. The settlement now awaits court approval.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.