FOR IMMEDIATE RELEASE
July 11, 2019
Health Insurer
Premera Settles Suit for Failing to Protect Sensitive Data
Premera Breach Affects Millions Nationwide; Including about 50,000 Utahns
OLYMPIA,
WA —
Premera Blue Cross, the largest health insurance company in the Northwest has
settled a lawsuit over failing to fix known security problems that exposed
personal information of more than 10.4 million consumers nationwide, including
approximately 50,000 Utahns to a hacker.
Utah
Attorney General Sean D. Reyes and 29 other attorneys general filed a
settlement today that requires Premera Blue Cross to pay $10 million total to
states, over its insufficient data security and failure to secure the consumer
data, including protected health and personal information.
A
nearly year-long investigation focused on Premera’s cybersecurity
vulnerabilities that gave a hacker unrestricted access to the data for almost a
year. Under the settlement, Premera will:
- Pay
a total of $10 million to states.
(Premera settled a class action lawsuit for $74 million earlier this
year.)
- The
company is also required to implement specific data security controls intended
to protect personal health information, annually review its security practices
and provide data security reports to the attorneys general.
- Premera’s
$10 million payment to the states is in addition to any payment from the
proposed class action settlement, which was filed in federal court in Oregon
but not yet finalized by the court.
“This
was clearly a violation of Federal and Utah privacy laws and is simply
unacceptable,” said Utah Attorney General Sean D. Reyes. “Even worse, but the company knew about the
deficient data security for nearly a year and didn’t take necessary measures to
fix it. Consumers deserve much, much
better.”
The
complaint asserts that the company failed to meet its obligations under the
federal Health Insurance Portability and Accountability Act (HIPAA) and the
Utah Protection of Personal Information Act (UPPIA) by not addressing known
cybersecurity vulnerabilities that gave a hacker unrestricted access to
protected health information for almost a year.
From
May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the
Premera network containing sensitive personal information, including private
health information, Social Security numbers, bank account information, names,
addresses, phone numbers, dates of birth, member identification numbers and
email addresses.
The
hacker took advantage of multiple known weaknesses in Premera’s data security.
For years prior to the breach, cybersecurity experts and the company’s own
auditors repeatedly warned Premera of its inadequate security program, yet the
company accepted many of the risks without fixing its practices.
The
complaint asserts that Premera misled consumers nationwide about its privacy
practices in the aftermath of the data breach. After the breach became public,
Premera’s call center agents told consumers there was “no reason to believe that
any of your information was accessed or misused.” They also told consumers that
“there were already significant security measures in place to protect your
information,” even though multiple security experts and auditors warned the
company of its security vulnerabilities prior to the breach.
Under
HIPAA, Premera is required to implement administrative, physical and technical
safeguards that reasonably and appropriately protect sensitive consumer
information. Premera repeatedly failed to meet these standards, leaving
millions of consumer’s sensitive data vulnerable to hackers for nearly a year.
Today’s
settlement also requires Premera to:
- Ensure
its data security program protects personal health information as required by
law
- Regularly
assess and update its security measures
- Provide
data security reports, completed by a third-party security expert approved by
the multistate coalition, to the Washington State Attorney General’s Office
- Hire
a chief information security officer, a separate position from the chief
information officer. The information security officer must be experienced in
data security and HIPAA compliance and will be responsible for implementing,
maintaining and monitoring the company’s security program.
- Hold
regular meetings between the chief information security officer and Premera’s
executive management. The information security officer must meet with Premera’s
CEO every two months and inform the CEO of any unauthorized intrusion into the
Premera network within 48 hours of discovery.
Today’s
multistate settlement against Premera involves Alabama, Alaska, Arizona,
Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa,
Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana,
Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma,
Oregon, Rhode Island, Utah, Vermont, and Washington.
A copy of the settlement can be viewed here.
-30-