Premera Blue Cross has agreed to pay $10 million to 30 states following a data breach that exposed sensitive information on over 10 million people across the country.
The settlement negotiated with the Washington State Attorney Generals Office and led by Attorney General Bob Ferguson claims Premera Blue Cross, the largest health insurer in the Pacific Northwest, failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) by ignoring known security vulnerabilities that enabled hackers to access protected health data for nearly a year.
From May 5, 2014, to March 6, 2-15 hackers had unauthorized access to the Premera network, exposing sensitive information on 10.4 million people, the majority of them in Washington. Information compromised includes consumers' private health data, Social Security numbers, banking information, full names, addresses, dates of birth, member identification numbers, email addresses, and phone numbers.
Hackers gained access to the network by exploiting multiple known weaknesses in Premera's data security. Premera was repeatedly warned by cybersecurity experts and auditors for years prior to the breach of the vulnerabilities in its systems, including slow installs of software updates and security patches, but the company failed to fix them. To learn more about the Problems with Running Outdated Software, check out our latest whitepaper.
Ferguson also claims that Premera misled consumers about its privacy practices before and after the breach. Privacy notices shared with members claimed "We take steps to secure our buildings and electronic systems from unauthorized access", which was ultimately not the case. Once the breach went public, Premera's call center agents reportedly told consumers there was "no reason to believe that any of your information was accessed or misused", which was also found to not be true.
Under HIPAA, health organizations are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera failed to meet these standards, leaving millions of consumers vulnerable to dangers like fraudulent tax returns, fraudulent bank account activity, and identity theft.
Under this settlement, Premera is required to pay $5.4 million to Washington and the rest of the states, implement data security controls to protect personal health data, review its security practices annually, and provide third-party data security reports to the attorney general offices. Premera is also required to hire a Chief Information Security Officer, create a compliance program and hire a compliance officer with a background in HIPAA Compliance, and provide security training to all employees who handle protected health information.
This new settlement comes just weeks after Premera agreed to pay $74 million to settle a federal class-action lawsuit on behalf of affected customers. The settlement, which still requires approvals from a judge in Oregon, would require Premera to pay for two years of credit monitoring services for its customers. For subscribers in California, Premera will offer up to $50-100 per person, plus reimburse customers for all documented out of pocket expenses related to the breach.
Healthcare providers and payers continue to be a target from hackers due to the high demand for personal records on the black market. To protect personal data and protected health information, NNT suggests leveraging the foundational security controls outlined by all leading security frameworks, such as HIPAA and CIS with the operational discipline of change management. Learn more about NNT's Solutions for the Healthcare Industry