Data breach negotiations with Premera Blue Cross have concluded with the largest health insurance firm in the Pacific Northwest to pay $10 million total, including $467,000 to Alaska, over its failure to secure sensitive consumer data.
Alaska Attorney General Kevin Clarkson said that Premera failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated the state consumer protection act by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for nearly a year.
Clarkson’s office said on July 11 that Premera’s insufficient data security exposed protected information of over 10.4 million consumers nationwide to a hacker.
“It would be one thing if Premera had quickly notified individuals or tried to improve its security measures when it was alerted to the issues,” Clarkson said. “Instead, Premera continued to downplay the harm and tried to convince consumers their information was still safe.”
According to Assistant Attorney General John Haley the $467,000, which will go into the state’s general fund, more than covers the state’s legal costs in this case.
Meanwhile a $32 million preliminary settlement has been reached in Oregon courts in a related national class action lawsuit. Most of the individuals whose data was hacked live in Washington, Oregon, California and Alaska, and will be notified once the settlement is finalized, Haley said.
A coalition of 30 states, led by Washington State Attorney General Bob Ferguson, conducted the investigation. Premera’s $10 million payment is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon, but not yet finalized by the court. Premera is also required to implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general.
Clarkson’s office said that from May 5, 2014 until March 6, 2015 a hacker had access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.
Under HIPPA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information.
The settlement stipulates several requirements of Premera, including regularly assessing and updating its security measures and hiring a chief information security officer experienced in data security and HIPAA compliance, with responsibility for implementing, maintaining and monitoring the company’s security program.