Press Release  Health Insurer to Pay $10 Million in National Settlement Over Data Breach Affecting Sensitive Information of Millions

Boston — Premera Blue Cross, the largest health insurance company in the Pacific Northwest, will pay $10 million in a multistate settlement to resolve allegations that it failed to secure sensitive consumer data from a hacker and exposed the private health and personal information of more than 10.4 million consumers, including 37,626 Massachusetts residents, Attorney General Maura Healey announced today.

The 30 state attorneys general involved in the settlement allege Premera failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated the state consumer protection law by not addressing known cybersecurity vulnerabilities that gave the hacker unrestricted access to protected health information for almost a year.

“This company’s repeated disregard for the weaknesses in its data security system left millions of Americans’ sensitive information vulnerable to hackers,” said AG Healey. “Our settlement requires the company to improve its data security practices and stop putting consumers’ data at risk of being breached.”

According to the complaint filed with today’s settlement in Suffolk Superior Court, the company had been repeatedly warned by cybersecurity experts and its own auditors that its security program was inadequate but failed to fix its practices. Between March 2014 and May 2015, the hacker took advantage of these weaknesses in Premera’s data security system and accessed Premera customers’ sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers, and email addresses.

In the complaint, the attorneys general also allege Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. When the hacking incident became public, the company told consumers their information was not accessed or misused and that the company had significant security measures in place to protect consumer information, even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Under HIPAA, health insurers like Premera are required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information.

In addition to the $10 million payment to the multistate coalition, of which Massachusetts will receive a payment of $56,750, today’s settlement also requires Premera to:

• Ensure its data security program protects personal health information as required by law;
• Regularly assess and update its security measures;
• Provide data security reports completed by a third-party security expert; and,
• Hire a chief information security officer experienced in data security and HIPAA compliance who will be responsible for implementing the company’s security program and will meet regularly with Premera’s executive leadership.

Joining AG Healey in today’s multistate settlement are attorneys general from Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.

This case was handled by Assistant Attorney General Michael Wong of the AG’s Health Care Division.

###