Premera Blue Cross pays US states $10 million over data breach

data breach

Premera Blue Cross has reached a settlement to pay $10 million (£7,978,150) to thirty US states as the result of a data breach dating back four years.

The incident at the root of Primera’s pay-out comprised the personal and private data of more than ten million US citizens across the nation.

Premera, the largest health insurer in the Pacific Northwest, made the settlement with the Washington attorney general’s office after weeks of the company saying it would devote $74 million towards settling a federal class-action legal case on behalf of the data breach victims.

According to reports, analysis teams had flagged up weaknesses in Premera’s cyber-security infrastructure, highlighting how the firm had been slow to install software upgrades and address vulnerabilities.

As such, the insurer was accused of failing to satisfy the standards and protect data as per the federal Health Insurance Portability and Accountability Act, known as HIPAA, and Washington’s Consumer Protection Act.

Washington Attorney General, Bob Ferguson, said:

“Premera knew they had a problem. Their own experts told them. They chose to ignore the advice of their own experts.”

The breach took place between May 2014 and March 2015, when hackers managed to get their hands on private data including medical records, bank account details and social security numbers of around 10.5 million citizens, most of whom reside in Washington state.

Among the victims are all of those who subscribed to Premera Blue Cross from 2002 through to early 2015, as well as patients who had insurance through Blue Cross companies who were treated in Alaska or Washington.

Premera will now pay $5.4 million to Washington while the other states involved will receive the remaining money. The insurer will also bring in new data privacy measures to increase protection of personal health information. A security protocol review will take place at the company every year, reports from which will have to be submitted to the attorney general’s office.

Premera spokeswoman, Dani Chung said:

“The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information. Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015.”

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.