Associated Press reports: Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country. The settlement, negotiated with the Washington attorney general’s office and filed in state court Thursday, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers. Read more on Modern Healthcare. The following statement was issued by the Washington State Attorney General’s Office: Jul 11 2019 Premera will pay $5.4 million to Washington and another $4.6 million to coalition of 29 state attorneys general that joined Ferguson’s investigation OLYMPIA — As a result of an Attorney General’s Office investigation, Premera Blue Cross, the largest health insurance company in the Pacific Northwest, will pay $10 million nationwide for failing to secure sensitive consumer data and for misleading consumers before and after a data breach affecting millions across the country. Attorney General Bob Ferguson led a coalition of 30 state attorneys general investigating the company’s practices. The data breach affected the information of more than 10.4 million individuals nationwide, including more than 6.4 million Washingtonians. Under the consent decree, filed today in Snohomish County Superior Court, Premera will pay $5.4 million of the total recovery to the Washington State Attorney General’s Office, which will go towards continued enforcement of state data security and privacy laws, and nearly $4.6 million to the coalition of states that joined Ferguson’s legal action. Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court. The consent decree also legally requires Premera to implement specific data security controls to protect personal health information, annually review its security practices and provide data security reports to the Washington State Attorney General’s Office. “Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed,” Ferguson said. “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers’ sensitive health information was at risk.” In today’s complaint, Ferguson asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated the Washington State Consumer Protection Act by not addressing known cybersecurity vulnerabilities that gave a hacker access to protected health information for almost a year. From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses. The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices. Ferguson’s complaint asserts that Premera misled Washingtonians and other consumers nationwide about its privacy practices before and after the data breach. In privacy notices, Premera told its members, “We take steps to secure our buildings and electronic systems from unauthorized access.” After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach. Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hackers for nearly a year. Today’s consent decree also requires Premera to: Ensure its data security program protects personal health information as required by law Regularly assess and update its security measures Map where HIPAA-protected information, including personal health information, is located on the Premera network Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program. Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery. Create a compliance program and hire a compliance officer with a background in HIPAA compliance Map where HIPAA-protected information, including personal health information, is located on the Premera network Provide security training to all employees who handle personal information and protected health information The proposed class action settlement provides for additional relief for affected individuals. Consumers affected by Premera’s conduct should expect to receive information about restitution after the settlement is approved by the court. More information about the class action is available here. Joining Washington are Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah and Vermont. Assistant Attorneys General Tiffany Lee, Andrea Alegrett, and Lynda Atkins, along with Senior Investigator Rebecca Hartsock, are leading the case for Washington. So with all these references to HIPAA, I should probably remind readers that these were enforcement and civil actions by states and insured members. This doesn’t say anything about what HHS/OCR did to Premera, if anything. Checking HHS’s public breach tool reveals that the incident is not in the “Under Investigation” section, which should […]
Jessica Davis reports: Premera Blue Cross reached a proposed $74 million settlement with the 11 million patients impacted by its 2014 breach, caused by a sophisticated cyberattack that lasted for nearly one year before it was discovered. In January 2015, Premera officials discovered the breach that began nearly a year earlier in May 2014. Premera, Premera Blue Cross Blue Shield of Alaska, and the insurer’s affiliates, Vivacity and Connexion Insurance Solutions were impacted, as well as patients who sought treatment in Alaska or Washington during that time period. The breached data included member and applicant names, dates of birth, Social Security numbers, bank account information, claims data, member identification numbers, and some clinical data. Read more on Health IT Security. Lawsuits over data breaches are a dime a dozen, but this litigation had a higher likelihood of settling due to a number of factors. You can read previous news coverage of the breach and litigation on this site by following the links from these search results, but for now, I’ll just end this post with a quote from research by Sasha Romanosky, Hoffman, and Acquisti (2013): In addition, we find that that the odds of a firm being sued are 3.5 times greater when individuals suffered financial harm, but over 6 times lower when the firm provides free credit monitoring to those affected by the breach. Moreover, the odds of a firm being sued as a result of improperly disposing data are 3 times greater relative to breaches caused by lost/stolen data, and 6 times greater when the data breach involved the loss of financial information. Our analysis suggests that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. The odds of a settlement are found to be 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by 31%. Romanosky, Sasha and Hoffman, David A. and Acquisti, Alessandro, Empirical Analysis of Data Breach Litigation (April 6, 2013). Forthcoming in the Journal of Empirical Legal Studies; Temple University Legal Studies Research Paper No. 2012-30. Available at SSRN: https://ssrn.com/abstract=1986461 or http://dx.doi.org/10.2139/ssrn.1986461
Catalin Cimpanu reports: The plaintiffs of a class-action lawsuit against health insurance provider Premera Blue Cross are accusing the organization of “willfully destroying” evidence that was crucial for establishing accurate details in a security breach incident. In court documents filed last week obtained by ZDNet, plaintiffs claim that Premera intentionally destroyed a computer that was in a key position to reveal more details about the breach, but also software logs from a security product that may have shown evidence of data exfiltration. Read more on ZDNet.
Coral Garnick reports that there have been 38 lawsuits filed and continuing investigations into the Premera breach. Mountlake Terrace-based Premera maintains that it does not “have any evidence that there was any criminal activity on anyone’s account as a result of the cyberattack,” company spokeswoman Melanie Coon said in an email statement. However, the company faces 38 class-action lawsuits containing reports that may argue otherwise, including stories of false tax returns, unexpected calls to verify personal information and packages received that were never ordered. Read more on Seattle Times.
On April 18, DataBreaches.net addressed a question raised by some as to whether the Premera breach had resulted in any tax refund fraud or other types of fraud. At the time of posting, Premera had not responded to the inquiries sent to them. Today, DataBreaches.net received the following answers: 1. Does Premera now have any evidence that data was actually acquired or exfiltrated in the attack? The investigation has not determined that any such data was removed from our systems and we have no evidence to date that such data has been used inappropriately. We continue to encourage affected individuals to sign up for the credit monitoring and identity theft protection products. Members should enroll on line through the www.Premeraupdate.com website or by calling Experian directly at 888-451-6558. 2. Has Premera received any reports of tax refund fraud that appear to be linked to the attack? If so, how many such reports have been received? The IRS has released warnings on at least 12 different tax scams that are in operation during tax filing season this year. We continue to coordinate with the FBI on its investigation into this attack and it’s important to note that our investigation has not determined that any information has been removed from our systems nor is there any evidence that any such data has been used inappropriately. We do not believe that these scams are related to the cyberattack. As this site has noted repeatedly and as Premera notes above, given how many breaches have occurred, it will be extremely difficult, if not impossible, for any one victim of tax refund fraud to know from where their information was stolen or acquired. But blaming any one entity when they’ve found no evidence of any data theft really does seem a bit of stretch.
While some Connecticut residents are blaming the Anthem breach after becoming victims of tax refund fraud (a causal claim that Anthem denies) and some faculty at North Dakota State University wonder if the university’s breach last year is the cause of the tax refund fraud they’re experiencing (a causal claim that NDSU denies), some physicians and dentists in Jonesboro, Arkansas are blaming Premera for the tax refund fraud they’ve experienced. Premera also disclosed a massive data breach recently. DataBreaches.net reached out to Premera yesterday to ask whether they had seen any indications that their breach had resulted in identity theft, but they did not respond to the e-mailed inquiry. So this post will be updated if a response is received. In the meantime, I’ll reiterate what I said the other day: it is extremely difficult to know which of many breaches this year may have resulted in any tax refund fraud you have experienced, and I think class action lawsuits may have a rough time demonstrating a connection between any one breach and harm suffered – unless we get some intel that data from these breaches is up for sale on the underground market.
Mike Baker reports: Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network-security procedures were inadequate. Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings April 18 last year, according to federal records. Read more on Seattle Times. I’m waiting for someone to discuss whether if OCR had been more actively auditing covered entities, the Anthem and Premera breaches would have occurred.
The Edmonds Beacon reports: Premera Blue Cross announced on Tuesday, March 17 that it was the target of a cyber-attack, and customers personal information was accessed. According to the Premera website, attackers gained access to the IT systems. The attack initially occurred on May 5, 2014, but wasn’t discovered until Jan. 29, 2015. An investigation by the company and Mandiant, a top cyber security firm, revealed members name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information and claims information, including clinical information was accessed. Read more on Edmonds Beacon. Premera has established a dedicated website to the breach, and yes, right off the bat they claim that they were victims of a “sophisticated cyberattack.” In terms of the scope of the breach: This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska. Note that KING5 is reporting that this breach may impact 11,000,000. Update 1: Premera’s notification templates are up on the California Attorney General’s web site: Premera Blue Cross – Incident Notification – Adult Premera Blue Cross – Incident Notification – Minor Premera Blue Cross – Incident Notification – Deceased Update 2: Brian Krebs describes some evidence that suggests that the Premera attack may be state-sponsored – and by the same group responsible for the Anthem hack. Update 3: Lifewise members are also affected by this breach (approximately 250,000): This incident affected LifeWise Health Plan of Washington, LifeWise Health Plan of Oregon and LifeWise Assurance Company. It also affected LifeWise Health Plan of Arizona, which no longer does business in that state.
HHS has announced another big settlement and corrective action plan. This one stems from a hack of Premera Blue Cross (PBC) in 2014 that went undetected until March of 2015. DataBreaches.net had covered this incident at the time and the follow-ups that included a class action lawsuit that settled, a settlement with state attorneys general, and news that federal auditors had warned Premera of security issues three weeks before the hack. Not surprisingly, the settlement starts out by noting the entity’s failure to perform a risk assessment, and that becomes the first element in the corrective action plan. Here is the full press release from HHS: Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. This resolution represents the second-largest payment to resolve a HIPAA investigation in OCR history. PBC operates in Washington and Alaska, and is the largest health plan in the Pacific Northwest, serving more than two million people. On March 17, 2015, PBC filed a breach report on behalf of itself and its network of affiliates stating that cyber-attackers had gained unauthorized access to its information technology (IT) system. The hackers used a phishing email to install malware that gave them access to PBC’s IT system in May 2014, which went undetected for nearly nine months until January 2015. This undetected cyberattack, otherwise known as an advanced persistent threat, resulted in the disclosure of more than 10.4 million individuals’ protected health information including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. OCR’s investigation found systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls. “If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director. In addition to the monetary settlement, PBC has agreed to a robust corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/premera-ra-cap.pdf – PDF. Comment from DataBreaches.net: Note Director Severino’s comment about hackers roaming undetected in a computer system for nearly ninth months. What will OCR say about some of the current batch of ransomware attacks where the attackers roam in the network, escalating privileges and adding more systems to those that are then encrypted. Will OCR claim that these victim entities did not have adequate enterprise-wide risk assessments and lacked adequate audit controls? Will victims get huge fines for not preventing attackers from gaining footholds via phishing or RDP and for not detecting them in their network? We may not know for a few years.
It’s all fun and games until you have to report a breach involving your health plan to HHS. Nintendo of America, Inc. notified HHS on February 26 of an incident impacting 6,248. The incident was coded as “Hacking/IT Incident” involving their Network Server, but still covers a lot of possibilities. [CORRECTION: It was not their network server – see update below this post.] There’s no notice on their web site at this time and I can find no press release explaining what happened. This post will be updated as more information becomes available. Updated March 8, 2016. :DataBreaches.net received an email from Nintendo of America today: Roughly one year ago, health insurance providers Premera Blue Cross and Anthem announced that cyber-attackers had gained access to restricted data. As a result, information regarding the employees of many different companies, including Nintendo of America, may have been compromised. There was no data breach at Nintendo. Any questions regarding this issue will be best answered by Premera and Anthem. Thanks to Nintendo of America to reaching out to this site. And this, my friends, is another example of why HHS’s breach tool can be so misleading or confusing. Nintendo of America tried to responsibly report what happened to their members, but the way HHS codes things, it appeared that there were data hacked or stolen from a network server. Since “business associate present” was NOT checked, it would be logical conclusion (but wrong, in this case) to think that it was their network server. I have repeatedly urged HHS to revise its breach tool to make the reports clearer and more understandable to prevent exactly these kinds of misinterpretations. In the meantime, DataBreaches.net apologizes to Nintendo of America for the original description.