Skip to content
Main Menu
Utah Attorney General
Search
Attorney General
Sean D. Reyes
Utah Office of the Attorney General
Alerts
Close
Secondary Navigation

Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

FOR IMMEDIATE RELEASE
July 11, 2019

Health Insurer Premera Settles Suit for Failing to Protect Sensitive Data

Premera Breach Affects Millions Nationwide; Including about 50,000 Utahns

OLYMPIA, WA — Premera Blue Cross, the largest health insurance company in the Northwest has settled a lawsuit over failing to fix known security problems that exposed personal information of more than 10.4 million consumers nationwide, including approximately 50,000 Utahns to a hacker.

Utah Attorney General Sean D. Reyes and 29 other attorneys general filed a settlement today that requires Premera Blue Cross to pay $10 million total to states, over its insufficient data security and failure to secure the consumer data, including protected health and personal information.

A nearly year-long investigation focused on Premera’s cybersecurity vulnerabilities that gave a hacker unrestricted access to the data for almost a year. Under the settlement, Premera will:

  • Pay a total of $10 million to states.  (Premera settled a class action lawsuit for $74 million earlier this year.)
  • The company is also required to implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general.
  • Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court.

“This was clearly a violation of Federal and Utah privacy laws and is simply unacceptable,” said Utah Attorney General Sean D. Reyes.  “Even worse, but the company knew about the deficient data security for nearly a year and didn’t take necessary measures to fix it.  Consumers deserve much, much better.”

The complaint asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and the Utah Protection of Personal Information Act (UPPIA) by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for almost a year.

From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.

The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hackers for nearly a year.

Today’s settlement also requires Premera to:

  • Ensure its data security program protects personal health information as required by law
  • Regularly assess and update its security measures
  • Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office
  • Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
  • Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

Today’s multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.

A copy of the settlement can be viewed here.

-30-

AG Celebrates BYU Women’s Rugby Team for an Undefeated Season

June 5, 2019

Today, Utah Attorney General Sean D. Reyes was pleased to host the members of the outstanding BYU women’s Rugby Team in the Utah State Capitol in order to celebrate their undefeated season and victory in the D1 Spring College Championship.

Attorney General Reyes released this statement at the ceremony: 

“The Utah Attorney General’s Office congratulates the BYU Women’s Rugby Team for winning this national championship and inspiring youth and young women in particular, to further their educational goals, work hard, play by the rules and become winners on the field, in the classroom and in life.”

“Rugby has a rich tradition in Utah history. From Highland High School and Coach Larry Gelwix’s immeasurable influence and 20 national championships to numerous players on the USA Rugby team and international squads with Utah ties; and from Utah Warriors Professional Rugby, BYU Men’s national championship teams to the thousands of weekend players in local leagues over the years, rugby is an integral part of Utah’s DNA.  Now the BYU Women’s Rugby Team adds its own story in this long legacy of champions. “

Reyes added that for years, law enforcement programs such as Police Athletic Leagues have encouraged youth to participate in sports and help them make successful life decisions.

Site SettingsSettings