Premera Blue Cross pays states $10 million over data breach (Updated)

Associated Press reports:

Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.

The settlement, negotiated with the Washington attorney general’s office and filed in state court Thursday, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.

Read more on Modern Healthcare.

The following statement was issued by the Washington State Attorney General’s Office:

Jul 11 2019

Premera will pay $5.4 million to Washington and another $4.6 million to coalition of 29 state attorneys general that joined Ferguson’s investigation

OLYMPIA — As a result of an Attorney General’s Office investigation, Premera Blue Cross, the largest health insurance company in the Pacific Northwest, will pay $10 million nationwide for failing to secure sensitive consumer data and for misleading consumers before and after a data breach affecting millions across the country. Attorney General Bob Ferguson led a coalition of 30 state attorneys general investigating the company’s practices.

The data breach affected the information of more than 10.4 million individuals nationwide, including more than 6.4 million Washingtonians. Under the consent decree, filed today in Snohomish County Superior Court, Premera will pay $5.4 million of the total recovery to the Washington State Attorney General’s Office, which will go towards continued enforcement of state data security and privacy laws, and nearly $4.6 million to the coalition of states that joined Ferguson’s legal action.

Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court.

The consent decree also legally requires Premera to implement specific data security controls to protect personal health information, annually review its security practices and provide data security reports to the Washington State Attorney General’s Office.

“Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed,” Ferguson said. “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers’ sensitive health information was at risk.”

In today’s complaint, Ferguson asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated the Washington State Consumer Protection Act by not addressing known cybersecurity vulnerabilities that gave a hacker access to protected health information for almost a year.

From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.

Ferguson’s complaint asserts that Premera misled Washingtonians and other consumers nationwide about its privacy practices before and after the data breach. In privacy notices, Premera told its members, “We take steps to secure our buildings and electronic systems from unauthorized access.”

After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hackers for nearly a year.

Today’s consent decree also requires Premera to:

  • Ensure its data security program protects personal health information as required by law
  • Regularly assess and update its security measures
  • Map where HIPAA-protected information, including personal health information, is located on the Premera network
  • Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office
  • Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
  • Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
  • Create a compliance program and hire a compliance officer with a background in HIPAA compliance
  • Map where HIPAA-protected information, including personal health information, is located on the Premera network
  • Provide security training to all employees who handle personal information and protected health information

The proposed class action settlement provides for additional relief for affected individuals. Consumers affected by Premera’s conduct should expect to receive information about restitution after the settlement is approved by the court. More information about the class action is available here.

Joining Washington are Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah and Vermont.

Assistant Attorneys General Tiffany Lee, Andrea Alegrett, and Lynda Atkins, along with Senior Investigator Rebecca Hartsock, are leading the case for Washington.

So with all these references to HIPAA, I should probably remind readers that these were enforcement and civil actions by states and insured members.  This doesn’t say anything about what HHS/OCR did to Premera, if anything.  Checking HHS’s public breach tool reveals that the incident is not in the “Under Investigation” section, which should mean that there is no active investigation continuing at this point.  But checking the listing for Premera in the Archived incidents reveals absolutely no information about the incident or any steps HHS/OCR might have taken.

So what does this mean? Did OCR do anything and just not write it up yet, or did they do nothing and let the states handle this?  Under HITECH, state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules and to enjoin further violations of the HIPAA Privacy and Security Rules.

DataBreaches.net has reached out to OCR to inquire as to whether they took any enforcement actions themselves or allowed the states to handle it all in this case.

Update:  I heard back from HHS/OCR. Rachel Seeger,Senior Advisor, Public Affairs and Outreach HHS Office for Civil Rights, responded to my inquiry with:

OCR does not comment on open or potential investigations.

So the fact that the incident is in the Archive section of the breach tool does not mean that nothing more may be coming down the road on this case. As the breach tool explains, it is not just resolved incidents that get listed in the Archive. Incidents older than 24 months are also listed there. Premera was reported to HHS/OCR in March 2015.

About the author: Dissent