Breach, Data Security

Premera Blue Cross to cough up $10 million to 30 states over data breach

Premera Blue Cross has consented to pay $10 million as compensation for a nearly year-long data breach that impacted more than 10.4 million health patients, the Washington state's Attorney General Bob Ferguson announced yesterday.

More than half of those funds, roughly $5.4 million, will be allocated to Washington, and will be applied toward the enforcement of state data security and privacy laws, the AG's office said in a press release. The remainder will be split among 29 other states that formed a coalition and joined Ferguson's legal action.

The $10 million penalty is separate from any additional monies that the Mountlake, Wash.-based health insurance company may have to pony up as the result of an ongoing class-action lawsuit filed in Oregon.

In an official legal complaint filed against Premera on July 11 in Snohomish County Superior Court, the state of Washington asserted that the company's "failure to adequately safeguard personal data permitted unauthorized access to the sensitive information" of millions of consumers (over 6 million in Washington alone). Moreover, it accuses Premere of misrepresenting the "scope and severity 13 of the data breach" after the fact, as well as the "security measures Premera had in place at the time of the breach."

Altogether, about 10.5 million individuals across the country were affected by the breach, which lasted from May 5, 2014 through March 6, 2015.

As part of the terms of the consent decree agreed to by AG Ferguson and Premera, the company must strive to implement a comprehensive information security program for protecting personal health information, with safeguards and controls such as critical asset management, sensitive data mapping and encryption, network segmentation, risk assessments, secure network communications, access controls, endpoint monitoring and more.

The company must also, among other requirements, provide data security reports to the state AG's office, hire a CISO, provide security training to employees who handle sensitive information, and create a compliance program led by a compliance officer.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.