Health insurance company Premera Blue Cross has agreed to a $72 million proposed settlement that would resolve a contentious class-action lawsuit stemming from a 2014 data breach affecting roughly 10.6 million people.
Pending court approval and barring further appeals, the deal would require Premera to pay $42 million to fund comprehensive remedial measures and injunctive relief in the form of information security program improvements and business practice changes over the next three years, according to a motion filed on May 30 in Oregon District Court.
To that end, Premera has committed to "encrypting, archiving, and maintaining protected environments for data; requiring two-factor authentication for remote access for all personnel and vendors; performing various audits and testing exercises, and collecting and maintaining logs of covered information systems; operating a Cyber Security Operations Center; employing a Chief Information Security Officer; requiring Information Security training for its associates, etc." according to the motion.
The remaining $32 million would go toward monetary relief for all claimants, in the form of credit monitoring, identity protection services, and financial compensation. This sum would also pay for various litigative and administrative costs, including the plaintiffs' attorney's fees.
"After several years of hard-fought litigation, we are pleased that individuals affected by this data breach will receive compensation for their losses and identity theft protection going forward," said Kim Stephens, interim lead counsel for the plaintiffs, in a press release issued by her firm Tousley Brain Stephens PLLC. "The settlement also includes extensive and detailed injunctive relief in the form of substantially reformed and improved information security practices, designed to protect the class members' information from future attacks."
In the same release, Premera Executive Vice President and CIO Mark Gregory, said, "We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack. Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts. The company recently achieved an industry-leading HITRUST certification, demonstrating its ability to identify risks, protect assets, detect attacks, and respond and restore capabilities should the need arise."
