AG TONG, DCP COMMISSIONER SEAGULL ANNOUNCE SETTLEMENT WITH HEALTH INSURER PREMERA OVER FAILURE TO PROTECT SENSITIVE DATA OF MILLIONS NATIONWIDE
Attorney General William Tong and 29 other attorneys general filed a settlement today that requires Premera Blue Cross to pay a total of $10 million because of its failure to secure sensitive consumer data.
Premera’s insufficient data security exposed the protected health information and personal information of more than 10.4 million consumers nationwide to a hacker.
A coalition of 30 states, led by Washington State Attorney General Bob Ferguson, investigated Premera’s cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for nearly a year.
Under the settlement, Premera will pay a total of $10 million to the states. Connecticut will receive $52,642. In Connecticut, approximately 15,000 residents were affected by the breach. Connecticut's share is tied to the number of residents impacted.
The company is also required to implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general. Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court.
"Premera was repeatedly warned by cybersecurity experts about deficiencies in its security program, yet the company failed to fix its practices. This settlement will require Premera to implement the specific data security controls needed to safeguard consumers' personal health information. No consumer should ever have to worry about their sensitive personal information being compromised by those who were entrusted to protect it," said Attorney General Tong.
“Businesses have a responsibility to keep consumer data safe," said Consumer Protection Commissioner Michelle H. Seagull. “With changing technology, it is more important than ever that companies not only ensure that they have an effective security policy, but that it’s routinely monitored and evaluated. I am pleased that Connecticut is a part of this settlement, and am hopeful that this can serve as a reminder to any company handling consumer data that security is of the upmost importance.”
Today’s settlement also requires Premera to:
- Ensure its data security program protects personal health information as required by law.
- Regularly assess and update its security measures.
- Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office.
- Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
- Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
Today’s multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.