Share this article on:
Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general.
The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers.
Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.
Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of sensitive data and how the attack went undetected for almost a year.
The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires all HIPAA-covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). The investigators determined that Premera Health violated HIPAA by failing to meet minimum standards for security.
This was not an oversight. Premera Health had been repeatedly told by its own auditors that its security program was inadequate. The risks of a data breach were accepted without any corrections being made to address vulnerabilities.
“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said New Jersey Attorney General Gurbir S. Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”
In addition to the financial penalty, Premera Blue Cross is required to implement further security controls to ensure the electronic protected health information of its plan members is better protected. Annual cybersecurity reviews must also be conducted by a third-party cybersecurity expert and data security reports must be sent to the attorneys general.
Premera Blue Cross must also hire a CISO with experience in HIPAA compliance and data security who will be responsible for implementing and maintaining Premera Health’s security program. The CISO is required to attend regular meetings with executive management and must meet with the CEO at least every 2 months. The CISO is also required to report any network breaches within 48 hours of discovery.
It has been an expensive four weeks for Premera Blue Cross. Last month, Premera Blue Cross agreed to pay $74 million to settle a class action lawsuit filed by plan members affected by the breach.