A health insurance company will change its data security practices to settle a lawsuit over a data breach that compromised the personal information of more than 10.4 million people nationwide, including 19,247 in Kansas, Attorney General Derek Schmidt announced today.
The settlement resolves allegations that Premera Blue Cross, the largest health insurance company in the Pacific Northwest, failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated the Kansas Consumer Protection Act by not addressing known cybersecurity vulnerabilities. Schmidt and 29 other state attorneys general yesterday filed the settlement, which requires Premera to implement specific data security controls to protect personal health information, annually review its security practices, and provide data security reports to the attorneys general. The company also will pay a $10 million penalty, of which $56,915.83 will go to Kansas. Consumer restitution is being addressed by a separate class-action lawsuit. A proposed settlement of that suit, which does not involve the attorney general’s office, is pending in federal court in Oregon.
From May 5, 2014, until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses. The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.
The lawsuit resolved by yesterday’s settlement alleged that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors had warned the company of its security vulnerabilities prior to the breach.
Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive personal health information. Premera repeatedly failed to meet these standards, leaving millions of people’s sensitive data vulnerable to hackers for nearly a year.
Yesterday’s settlement also requires Premera to:
Ensure its data security program protects personal health information as required by law
Regularly assess and update its security measures
Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office
Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
A copy of the consent judgment settling the case, which was filed yesterday in Shawnee County District Court, may be found at http://bit.ly/2YPYlQI.