Premera Blue Cross, the Pacific Northwest’s largest health insurance company, agreed to pay $10 million to Washington and 29 other states related to a data breach that affected the personal information of more than 10 million patients nationwide.
Washington State Attorney General Bob Ferguson said the company did not fulfill the standards set by the federal government’s Health Insurance Portability and Accountability Act (HIPAA) and violated the Consumer Protection Act in Washington state. Premera will pay $5.4 million to Washington and $4.6 million to the other states. Ferguson led a coalition of 30 attorney generals in the lawsuit.
“Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed,” Ferguson said in a statement. “As a result, millions had their sensitive information exposed.”
In addition to the $10 million state settlement, Premera separately agreed to pay $32 million to members of a class-action lawsuit as well as a minimum of $42 million to fund a new information security program over the next three years. Patients who were affected can file claims for credit monitoring and identity protection services, as well as for cash payments.
“We are pleased to have reached an agreement with state attorneys general to resolve legal inquiries into the 2014 cyberattack on our data network,” Premera spokesperson Dani Chung told GeekWire in an email statement. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information.”
According to a complaint by Ferguson, a hacker infiltrated Premera’s network for nearly a year beginning in May 2014. The individual had access to patient data including social security numbers and health information. The attorney general also said that Premera misled consumers about its privacy practices.
Premera’s payment to the states is part of a consent decree that also requires the company to take additional security steps, perform regular security reporting and hire a chief information security officer, among other requirements. The decree was filed today in Snohomish County Superior Court.