In March 2015, health insurer Premera Blue Cross in Seattle reported a major data breach that affected close to 10.6 million plan members. The breach happened in 2014 and a wide range of information was stolen. Bank account details, health information and Social Security numbers were compromised. It is believed that an APT group working outside China was responsible for the cyberattack.
Immediately after the data breach announcement, a number of class action lawsuits were submitted to seek damages for the breach victims. Over 40 of the class action lawsuits were combined into one class action lawsuit filed in the United States District Court in Oregon.
Allegedly, Premera Blue Cross’ cybersecurity practices were not enough and threat actors exploited the vulnerabilities to access plan members’ sensitive data.
Premera Blue Cross proposed to settle the lawsuit for $74 million. The terms of settlement state that Premera Blue Cross is going to pay $32 million to the breach victims.
The majority of the fund is going to cover the price of two years more years of credit monitoring and identity theft protection services. Data breach victims can also claim back out-of-pocket expenses proven to be associated to the breach including the time spent fixing problems connected to the breach.
People who don’t submit out-of-pocket claims can get up to $50 cash payment and up to $50 compensation for California residents as per the California Confidentiality of Medical Information Act. The fund is also going to cover attorneys’ charges, administrative and notification expenses.
The rest of the $42 million is going to be spent for Premera Blue Cross’ information security program over the following three years. Some of the security measures to be implemented include sensitive personal information encryption, enhanced data security controls, yearly third-party security audits, upgraded network logging and tracking, and the migration of some data into archived, protected databases with tight access controls. Premera Blue Cross is also going to strengthen its passwords, improve email security, and minimize employee access to sensitive information.
Premera Blue Cross has already improved security and has just obtained HITRUST certification, which shows the company’s ability to determine risks, secure data, identify cyberattacks, and react to data breaches.
The settlement agreement is going to resolve the lawsuit without admitting wrongdoing by Premera Blue Cross nor the harm experienced by the breach victims.
Premera Blue Cross already filed a motion for preliminary approval and is just awaiting court approval.