Advertisements

AG Grewal Announces Settlement with Premera Blue Cross over Data Breach that Exposed Information of over 10 Million Customers

Attorney General Gurbir S. Grewal announced today that New Jersey and 29 other states have reached a settlement with health insurer Premera Blue Cross Blue Shield to resolve allegations that Premera’s inadequate security measures left its network vulnerable to hacking and exposed consumers’ Social Security numbers and sensitive health information to a hacker for ten months in 2014 to 2015.

Under terms of the settlement, Premera must pay the states a total of $10 million. The company also must implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the participating state attorneys general.

The investigation found that Premera’s inadequate data security exposed to a hacker the protected health information and personal information of more than 10.4 million insureds nationwide. The data breach affected approximately 40,000 New Jersey residents.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said Attorney General Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

A complaint filed today along with the settlement agreement asserts that Premera failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated state consumer protection laws by not addressing known cybersecurity vulnerabilities. New Jersey’s share of the settlement is $72,168.

Separate class action litigation involving the breach resulted in a proposed settlement in June 2019 that would result in a $32 million recovery for affected consumers, and would require Premera to make $42 million in cybersecurity upgrades.

From May 5, 2014 through March 6, 2015, a hacker had unauthorized access to the Premera network containing private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

In doing so, the hacker took advantage of multiple known weaknesses in Premera’s data security.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hacking.

For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without correcting its practices, the multi-state investigation determined.

The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Today’s settlement also requires Premera to:

Ensure its data security program protects personal health information as required by law.

Regularly assess and update its security measures.

Provide annual data security reports completed by a third-party security expert approved by the multistate coalition.

Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance, and will be responsible for implementing, maintaining and monitoring the company’s security program.

Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

In addition to New Jersey and lead state Washington, today’s multistate settlement with Premera includes: Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah and Vermont.

Deputy Attorney General Elliott M. Siebers, Section Chief in the Division of Law’s Data Privacy and Cybersecurity Section, and former Deputy Attorney General Michelle T. Weiner, handled the Premera matter on behalf of the State.

-------------

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at general@thelakewoodscoop.com.

Stay up to date via our news alerts, by sending 'follow LakewoodScoop' to the number '40404' or via Twitter handle @LakewoodScoop. Also find us on Instagram and Facebook.

Also join the thousands receiving our Whatsapp Status updates!

Got a news tip? Email us at newstips@thelakewoodscoop.com, text or whatsapp us 415-857-2667, or tweet us @LakewoodScoop.

There are 2 Comments to "AG Grewal Announces Settlement with Premera Blue Cross over Data Breach that Exposed Information of over 10 Million Customers"

  • Justsayin.... says:

    And what do you think he will do with the settlement money, they will provide health care for illegals….way to go AG

  • Ron Benvenisti says:

    Wake up! NJ gets $72,138. The hackers have a 30 Billion dollar racket selling this information so illegals can steal social security numbers.

Write a Comment

Please read comment rules before submitting your comment.

(required - will not be published)

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Answer the question below to prove you\'re human *