Following a data breach incident that began in 2014 but was not discovered until 2015, Premera Blue Cross has agreed to pay $74 million in total to settle a class action lawsuit against the health insurance company.
In March 2015, the Mountlake Terrace, Wash.-based health insurer acknowledged that it was victim of a cyber attack that affected nearly 11 million of its customers. A few months before that, Premera discovered that cyber attackers had executed a sophisticated attack to gain unauthorized access to its IT systems. However, an investigation revealed that the initial attack actually occurred on May 5, 2014.
Following Premera’s announcement of the cyberattack in 2015, the consolidated class action lawsuit was filed in United States District Court for the District of Oregon. This consolidated class action alleged that due to Premera’s practices, cyber attackers were able to gain access to the personal information of 10.6 million individuals, including names, dates of birth, social security numbers, and protected health information.
Under the terms of the proposed settlement, Premera has agreed to pay $32 million to resolve the litigation. Those funds will pay for an additional two years of premium credit monitoring, and identity protection services, out-of-pocket losses, and cash payments to all class members who make a claim. The fund also will pay for administrative and notice costs related to the settlement, including attorneys’ fees.
Premera has agreed to guarantee a minimum of $42 million in funding for its information security program over the next three years, and implement and/or maintain a number of specific changes to its information security practices, including: encrypting certain personal information; strengthening specified data security controls; increased network monitoring and logging of monitored activity; annual third-party security audits; stronger passwords, reduced employee access to sensitive data, and enhanced email protections; and moving certain data into archived databases with strict access controls.
The settlement, which is still subject to approval by the court, does not include any finding of wrongdoing, and Premera is not admitting any wrongdoing or that any individuals were harmed because of the cyberattack.
In a statement, Premera’s executive vice president and CIO, Mark Gregory said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack. Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts. The company recently achieved an industry-leading HITRUST certification, demonstrating its ability to identify risks, protect assets, detect attacks, and respond and restore capabilities should the need arise.”
Officials of HITRUST (the Health Information Trust Alliance) say they “support Premera in its efforts to demonstrate its ability to identify risks, protect assets, detect attacks and respond and restore capabilities as necessary.”