Premera Signs $10 Million Breach Settlement With 30 States

HIPAA/HITECH , Incident & Breach Response , Legislation & Litigation

Agreement Follows Proposed $74 Million Settlement of Class Action Lawsuit(HealthInfoSec) • July 11, 2019    Premera Signs $10 Million Breach Settlement With 30 States

Health insurer Premera Blue Cross has signed a $10 million HIPAA settlement with the attorneys general of 30 states in the wake of a data breach that exposed personal information on more than 10.4 million individuals nationwide.

See Also: 10 Incredible Ways You Can Be Hacked Through Email & How To Stop The Bad Guys

The settlement tied to a 2014 breach disclosed in 2015 was announced Thursday by Connecticut Attorney General William Tong.

The coalition of 30 state attorneys general, led by Washington State Attorney General Bob Ferguson, investigated Seattle-based Premera's cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for nearly a year, Tong said in a statement.

Under the settlement, the insurer is required to implement specific data security controls intended to safeguard PHI. That includes annually reviewing its security practices and providing data security reports to the attorneys general.

Premera's $10 million payment to the states is in addition to a proposed $74 million class action lawsuit settlement, which was filed in June.

"Premera was repeatedly warned by cybersecurity experts about deficiencies in its security program, yet the company failed to fix its practices," Tong said in the statement.

The multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington.

Settlement Provisions

Under the settlement, Premera must:

Ensure its data security program protects personal health information as required by law; Regularly assess and update its security measures; Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington state attorney general's office; Hire a CISO experienced in data security and HIPAA compliance who will be responsible for implementing, maintaining and monitoring the company's security program; Hold regular meetings between the CISO and Premera's executive management. The CISO must meet with Premera's CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

Premera did not immediately respond to a request for comment.