Attorney General Gurbir S. Grewal announced today that New Jersey and 29 other states have reached a settlement with health insurer Premera Blue Cross Blue Shield to resolve allegations that Premera’s inadequate security measures left its network vulnerable to hacking and exposed consumers’ Social Security numbers and sensitive health information to a hacker for ten months in 2014 to 2015.

Under terms of the settlement, Premera must pay the states a total of $10 million. The company also must implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the participating state attorneys general.

The investigation found that Premera’s inadequate data security exposed to a hacker the protected health information and personal information of more than 10.4 million insureds nationwide. The data breach affected approximately 40,000 New Jersey residents.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said Attorney General Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

A complaint filed today along with the settlement agreement asserts that Premera failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated state consumer protection laws by not addressing known cybersecurity vulnerabilities. New Jersey’s share of the settlement is $72,168.

Separate class action litigation involving the breach resulted in a proposed settlement in June 2019 that would result in a $32 million recovery for affected consumers, and would require Premera to make $42 million in cybersecurity upgrades.

From May 5, 2014 through March 6, 2015, a hacker had unauthorized access to the Premera network containing private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

In doing so, the hacker took advantage of multiple known weaknesses in Premera’s data security.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hacking.

For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without correcting its practices, the multi-state investigation determined.

The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Today’s settlement also requires Premera to:

Ensure its data security program protects personal health information as required by law.

Regularly assess and update its security measures.

Provide annual data security reports completed by a third-party security expert approved by the multistate coalition.

Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance, and will be responsible for implementing, maintaining and monitoring the company’s security program.

Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

In addition to New Jersey and lead state Washington, today’s multistate settlement with Premera includes: Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah and Vermont.

Deputy Attorney General Elliott M. Siebers, Section Chief in the Division of Law’s Data Privacy and Cybersecurity Section, and former Deputy Attorney General Michelle T. Weiner, handled the Premera matter on behalf of the State.