Premera Blue Cross has agreed to pay $10 million to 30 states in connection to a data breach.
The insurer paid the amount after a probe by the Washington state attorney general’s office into a data breach. The incident exposed sensitive data of at least 10 million people all over the country.
The Washington attorney general’s office negotiated the payment with the insurer. The settlement was then filed in state court late this week. The agreement comes weeks after Premera announced it would spend $74 million to settle a federal class-action lawsuit.
Attorney General Bob Ferguson led a coalition of 30 state attorneys general who probed the company’s mistake. According to the attorney general’s release, the agreement divided Premera’s payment into two. Washington would receive $5.4 million while the coalition of 29 state attorneys general would get $4.6 million.
The $10-million payment is in addition to any payment for other proposed class action settlements. The class-action lawsuit was filed in the federal court in Oregon. The court has not yet finalized the arrangement.
The states said auditors had earlier notified Premera of the vulnerabilities in its system. Their warning included the insurer’s slow action in installing software updates and security patches. But despite their knowledge of the matter, the company failed to fix them.
They accused Premera of failure to meet its obligations in protecting customer data under specific laws. These include the federal government’s Health Insurance Portability and Accountability Act (HIPAA) and Washington state’s Consumer Protection Act.
Breach Out of Negligence
Ferguson noted that Premera’s cybersecurity experts told the management of the problem, but chose to ignore their advice. He said that the insurer had failed to meet their obligation to protect the privacy of millions of Washingtonians.
The breach lasted from May 2014 to March 2015, during which hackers gained access to private data. The information included medical records, Social Security numbers, and bank account details of 10.4 million people.
The data breach exposed information of customers, including all Premera Blue Cross subscribers from 2002 through early 2015. Also included were patients insured through other Blue Cross companies who sought or received treatment in Washington or Alaska.
Premera spokeswoman Dani Chung said that independent experts had found no evidence that hackers removed customer information from Premera’s systems. However, the federal class-action suit claimed that hackers used the stolen data for fraudulent activities. Some of them used customer information to open fake accounts, file bogus tax returns, and steal identities.