Premera Blue Cross has agreed to pay $10 million to 30 states following a data breach that exposed sensitive information on over 10 million people across the country. 

The settlement negotiated with the Washington State Attorney Generals Office and led by Attorney General Bob Ferguson claims Premera Blue Cross, the largest health insurer in the Pacific Northwest, failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) by ignoring known security vulnerabilities that enabled hackers to access protected health data for nearly a year. 

From May 5, 2014, to March 6, 2-15 hackers had unauthorized access to the Premera network, exposing sensitive information on 10.4 million people, the majority of them in Washington. Information compromised includes consumers' private health data, Social Security numbers, banking information, full names, addresses, dates of birth, member identification numbers, email addresses, and phone numbers. 

Hackers gained access to the network by exploiting multiple known weaknesses in Premera's data security. Premera was repeatedly warned by cybersecurity experts and auditors for years prior to the breach of the vulnerabilities in its systems, including slow installs of software updates and security patches, but the company failed to fix them. To learn more about the Problems with Running Outdated Software, check out our latest whitepaper. 

Ferguson also claims that Premera misled consumers about its privacy practices before and after the breach. Privacy notices shared with members claimed "We take steps to secure our buildings and electronic systems from unauthorized access", which was ultimately not the case. Once the breach went public, Premera's call center agents reportedly told consumers there was "no reason to believe that any of your information was accessed or misused", which was also found to not be true. 

Under HIPAA, health organizations are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera failed to meet these standards, leaving millions of consumers vulnerable to dangers like fraudulent tax returns, fraudulent bank account activity, and identity theft. 

Under this settlement, Premera is required to pay $5.4 million to Washington and the rest of the states, implement data security controls to protect personal health data, review its security practices annually, and provide third-party data security reports to the attorney general offices. Premera is also required to hire a Chief Information Security Officer, create a compliance program and hire a compliance officer with a background in HIPAA Compliance, and provide security training to all employees who handle protected health information. 

This new settlement comes just weeks after Premera agreed to pay $74 million to settle a federal class-action lawsuit on behalf of affected customers. The settlement, which still requires approvals from a judge in Oregon, would require Premera to pay for two years of credit monitoring services for its customers. For subscribers in California, Premera will offer up to $50-100 per person, plus reimburse customers for all documented out of pocket expenses related to the breach. 

Healthcare providers and payers continue to be a target from hackers due to the high demand for personal records on the black market. To protect personal data and protected health information, NNT suggests leveraging the foundational security controls outlined by all leading security frameworks, such as HIPAA and CIS with the operational discipline of change management. Learn more about NNT's Solutions for the Healthcare Industry 


The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.