The largest health insurance provider in the Pacific Northwest will pay $10 million to settle a multistate investigation into a cyberattack that exposed the sensitive personal data of more than 10 million customers.
Premera Blue Cross violated the Health Insurance Portability and Accountability Act by not heeding warnings that its security program was inadequate, Montana Attorney General Tim Fox said in a statement announcing the settlement. The company’s security lapses allowed a hacker to access insurees’ Social Security numbers, bank account information, and email addresses from May 2014 to March 2015, Fox said.
“For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices,” Fox said. Premera also misled customers by claiming that consumer data was protected, even after the breach was announced to the public, according to Montana’s complaint.
Premera said it was pleased to have reached an agreement with the state attorneys general.
“The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information,” Premera spokesperson Dani Chung said in an email.
Thirty states will share the $10 million settlement. Fox said Montana will receive $122,879 for consumer education and protection.
Premera must update its security procedures to protect personal and health information, file regular security reports, and hire a chief information security officer, under the terms of the settlement. The company also must ensure that user data is encrypted and that it stores and retains data only to the minimum extent necessary, and then evaluate and update its policies on an annual basis, according to the settlement.
The settlement comes on the heels of Premera’s agreement May 30 to pay $32 million to end a class action over the same breach. Premera also agreed to spend $42 million over three years on comprehensive remedial measures and beefed-up security practices if the deal is approved by the court overseeing the litigation.