Premera Blue Cross has agreed to pay $10 million to 30 states following a data breach that exposed sensitive information on over 10 million people across the country. 

The settlement negotiated with the Washington State Attorney Generals Office and led by Attorney General Bob Ferguson claims Premera Blue Cross, the largest health insurer in the Pacific Northwest, failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) by ignoring known security vulnerabilities that enabled hackers to access protected health data for nearly a year. 

From May 5, 2014, to March 6, 2-15 hackers had unauthorized access to the Premera network, exposing sensitive information on 10.4 million people, the majority of them in Washington. Information compromised includes consumers' private health data, Social Security numbers, banking information, full names, addresses, dates of birth, member identification numbers, email addresses, and phone numbers. 

Hackers gained access to the network by exploiting multiple known weaknesses in Premera's data security. Premera was repeatedly warned by cybersecurity experts and auditors for years prior to the breach of the vulnerabilities in its systems, including slow installs of software updates and security patches, but the company failed to fix them. To learn more about the Problems with Running Outdated Software, check out our latest whitepaper. 

Ferguson also claims that Premera misled consumers about its privacy practices before and after the breach. Privacy notices shared with members claimed "We take steps to secure our buildings and electronic systems from unauthorized access", which was ultimately not the case. Once the breach went public, Premera's call center agents reportedly told consumers there was "no reason to believe that any of your information was accessed or misused", which was also found to not be true. 

Under HIPAA, health organizations are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera failed to meet these standards, leaving millions of consumers vulnerable to dangers like fraudulent tax returns, fraudulent bank account activity, and identity theft. 

Under this settlement, Premera is required to pay $5.4 million to Washington and the rest of the states, implement data security controls to protect personal health data, review its security practices annually, and provide third-party data security reports to the attorney general offices. Premera is also required to hire a Chief Information Security Officer, create a compliance program and hire a compliance officer with a background in HIPAA Compliance, and provide security training to all employees who handle protected health information. 

This new settlement comes just weeks after Premera agreed to pay $74 million to settle a federal class-action lawsuit on behalf of affected customers. The settlement, which still requires approvals from a judge in Oregon, would require Premera to pay for two years of credit monitoring services for its customers. For subscribers in California, Premera will offer up to $50-100 per person, plus reimburse customers for all documented out of pocket expenses related to the breach. 

Healthcare providers and payers continue to be a target from hackers due to the high demand for personal records on the black market. To protect personal data and protected health information, NNT suggests leveraging the foundational security controls outlined by all leading security frameworks, such as HIPAA and CIS with the operational discipline of change management. Learn more about NNT's Solutions for the Healthcare Industry 


NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.