(Update: Adding Oregon attorney general info)
SEATTLE (AP) — Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.
The settlement, negotiated with the Washington attorney general's office and filed in state court Thursday, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.
The states said auditors had alerted Premera to the vulnerabilities in its system, including that it was slow to install software updates and security patches, but it failed to fix them. They accused Premera of failing to meet its obligations to protect the data under the federal Health Insurance Portability and Accountability Act, known as HIPAA, and Washington's Consumer Protection Act.
"Premera knew they had a problem," said Washington Attorney General Bob Ferguson. "Their own experts told them. They chose to ignore the advice of their own experts."
During the breach, which lasted from May 2014 to March 2015, hackers had access to sensitive data — including medical records, bank account information and Social Security numbers — for 10.4 million people, the majority of them in Washington.
Premera is based in Mountlake Terrace, a north Seattle suburb. Those whose data was exposed include all Premera Blue Cross subscribers from 2002 through early 2015, as well as patients insured through other Blue Cross companies who sought treatment in Washington or Alaska.
Under the settlement, Premera will pay $5.4 million to Washington and the rest to the other states, and it will implement data security controls to protect personal health information, review its security practices yearly and provide data security reports to the attorney general's office.
"The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information," Premera spokeswoman Dani Chung said in an emailed statement. "Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015."
Chung said independent experts had not made a finding that any customer information was removed from Premera's systems, but the federal class-action case alleged that hackers used the private information to open fraudulent accounts, file fraudulent tax returns and steal identities.
The settlement in the federal class-action, which still requires the approval of a judge in Oregon, requires Premera to pay for two years of credit monitoring on behalf of its customers. It also offers them up to $50 — $100 for subscribers in California — plus reimbursement of documented out-of-pocket expenses related to the breach.
News release from Oregon Attorney General Ellen Rosenblum:
Oregon Settles with Health Insurer Premera Over Data Breach
SALEM, OREGON—Oregon Attorney General Ellen Rosenblum and 29 other state Attorneys General have reached a $10 million settlement with Premera Blue Cross, known in Oregon as LifeWise Health Plan of Oregon, over its failure to secure consumer data. Oregon will receive $1.3 million from the settlement.
"It's horrifying to think that for nearly one entire year, a hacker had access to the sensitive health records and personal data of millions of Americans. Companies must be held accountable for sloppy privacy practices that put the sensitive data of patients at risk," said Attorney General Rosenblum. "We simply must make it a priority to educate all Americans how to recognize suspicious emails and avoid getting hacked."
Premera's insufficient data security exposed the personal information of more than 700,000 Oregonians who were current or former members of the plan. From May 5, 2014-March 6, 2015, a hacker used a "spear phishing" email to gain access to the Premera network containing personal information of over 10 million consumers nationwide, including private health information, names, addresses, phone numbers, dates of birth, Social Security numbers, member identification numbers, bank account information and email addresses.
In the complaint, the Attorneys General alleged that the company failed to meet its obligations under federal and state laws by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to sensitive personal information and protected health information for almost a year. For years prior to the breach, cybersecurity experts and the company's own auditors repeatedly warned executive management of Premera's inadequate security program.
Under the Health Insurance Portability and Accountability Act (HIPAA), Premera is required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information.
On May 5, 2014, a hacker gained access to the Premera network using a tactic known as "spear-phishing." The email, disguised as an email from the company's IT department, came from a misspelled domain name, contained several suspicious misspellings and the wrong physical address for the IT department — common signs of a spear-phishing attempt.
The suspicious email prompted the employee to enter user credentials to download a security update. In reality, the employee unknowingly downloaded malware, a program designed to give the hacker access to the Premera network.
The breach affected the sensitive information of not only current Premera customers, but also former customers, and prospective customers who had applied for Premera's services, including prospective customers who were denied coverage. It also affected non-members whose claims Premera processed and current and former Premera employees.
In addition to Oregon, the settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Rhode Island, Utah, Vermont, and Washington.
The Oregon Department of Justice (DOJ) is led by Attorney General Ellen Rosenblum, and serves as the state's law firm. The Oregon DOJ advocates for and protects all Oregonians, especially the most vulnerable, such as children and seniors.