A $10 million settlement has been reached with health insurer Premera Blue Cross as a result of the company’s 2014/15 data breach, which exposed the protected health information and other personal information of more than 10.4 million consumers nationwide.
Under the settlement, Arizona will receive only $154,885.52. The funds will be deposited into the Attorney General’s consumer-protection revolving fund.
Arizona and 29 other states reached the settlement with Premera, the largest health insurance company in the Pacific Northwest.
According to the Arizona Attorney General’s Office, a health insurance provider, Premera is subject to the privacy and security requirements of the federal Health Insurance Portability and Accountability Act (HIPAA).
Premera allegedly repeatedly failed to comply with HIPPA requirements, leaving millions of consumers’ sensitive data vulnerable to hackers for nearly a year. The complaint also alleged that Premera violated the Arizona Consumer Fraud Act by failing to implement reasonable security procedures and practices to protect the sensitive information of Arizona residents.
More specifically, the complaint alleges that from May 5, 2014, until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers, and email addresses. To gain such access, the hacker took advantage of multiple weaknesses in the company’s data-security practices, of which Premera had been warned repeatedly by cybersecurity experts and even its own auditors.
Premera is now required to:
Ensure its data security program protects personal health information as required by law;
Regularly assess and update its security measures; and
Hire a Chief Information Security Officer (CISO), who will be responsible for: implementing, maintaining, and monitoring the company’s security program; meeting regularly with the company’s executive management; and informing the company’s CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.