Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Premera Blue Cross Pays States $10 Million Over Data Breach

Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.

Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.

The settlement, negotiated with the Washington attorney general’s office and filed in state court Thursday, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.

The states said auditors had alerted Premera to the vulnerabilities in its system, including that it was slow to install software updates and security patches, but it failed to fix them. They accused Premera of failing to meet its obligations to protect the data under the federal Health Insurance Portability and Accountability Act, known as HIPAA, and Washington’s Consumer Protection Act.

“Premera knew they had a problem,” said Washington Attorney General Bob Ferguson. “Their own experts told them. They chose to ignore the advice of their own experts.”

During the breach, which lasted from May 2014 to March 2015, hackers had access to sensitive data — including medical records, bank account information and Social Security numbers — for 10.4 million people, the majority of them in Washington.

Premera is based in Mountlake Terrace, a north Seattle suburb. Those whose data was exposed include all Premera Blue Cross subscribers from 2002 through early 2015, as well as patients insured through other Blue Cross companies who sought treatment in Washington or Alaska.

Under the settlement, Premera will pay $5.4 million to Washington and the rest to the other states, and it will implement data security controls to protect personal health information, review its security practices yearly and provide data security reports to the attorney general’s office.

“The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information,” Premera spokeswoman Dani Chung said in an emailed statement. “Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015.”

Chung said independent experts had not made a finding that any customer information was removed from Premera’s systems, but the federal class-action case alleged that hackers used the private information to open fraudulent accounts, file fraudulent tax returns and steal identities.

The settlement in the federal class-action, which still requires the approval of a judge in Oregon, requires Premera to pay for two years of credit monitoring on behalf of its customers. It also offers them up to $50 — $100 for subscribers in California — plus reimbursement of documented out-of-pocket expenses related to the breach.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.