Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Premera Blue Cross Pays States $10 Million Over Data Breach

Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.

Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.

The settlement, negotiated with the Washington attorney general’s office and filed in state court Thursday, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.

The states said auditors had alerted Premera to the vulnerabilities in its system, including that it was slow to install software updates and security patches, but it failed to fix them. They accused Premera of failing to meet its obligations to protect the data under the federal Health Insurance Portability and Accountability Act, known as HIPAA, and Washington’s Consumer Protection Act.

“Premera knew they had a problem,” said Washington Attorney General Bob Ferguson. “Their own experts told them. They chose to ignore the advice of their own experts.”

During the breach, which lasted from May 2014 to March 2015, hackers had access to sensitive data — including medical records, bank account information and Social Security numbers — for 10.4 million people, the majority of them in Washington.

Premera is based in Mountlake Terrace, a north Seattle suburb. Those whose data was exposed include all Premera Blue Cross subscribers from 2002 through early 2015, as well as patients insured through other Blue Cross companies who sought treatment in Washington or Alaska.

Under the settlement, Premera will pay $5.4 million to Washington and the rest to the other states, and it will implement data security controls to protect personal health information, review its security practices yearly and provide data security reports to the attorney general’s office.

“The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information,” Premera spokeswoman Dani Chung said in an emailed statement. “Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015.”

Chung said independent experts had not made a finding that any customer information was removed from Premera’s systems, but the federal class-action case alleged that hackers used the private information to open fraudulent accounts, file fraudulent tax returns and steal identities.

The settlement in the federal class-action, which still requires the approval of a judge in Oregon, requires Premera to pay for two years of credit monitoring on behalf of its customers. It also offers them up to $50 — $100 for subscribers in California — plus reimbursement of documented out-of-pocket expenses related to the breach.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.