Premera Blue Cross agreed to pay $10 million to settle a multi-state data breach lawsuit that involved 30 state attorneys general. The alleged violations of state and federal laws resulted to a breach of 10.4 million records in 2014. Premera Health’s network was hacked on May 5, 2014. The hacker got access to the network without being detected until March 6, 2015. So, for about a year, the highly sensitive information of plan members including names, birth dates, contact details, member ID numbers, and Social Security numbers were compromised.
The following states were involved in the lawsuit: Alabama, Arizona, Alaska, Arkansas, Connecticut, California, Florida, Hawaii, Indiana, Idaho, Iowa, Kentucky, Kansas, Louisiana, Massachusetts, Mississippi, Minnesota, Montana, Nebraska, New Jersey, Nevada, North Carolina, North Dakota, Oklahoma, Ohio, Oregon, Rhode Island, Vermont, Utah and Washington.
Washington State Attorney General Bob Ferguson headed the investigation and checked the security vulnerabilities, which allowed the hacker to exploit and access a large volume of sensitive information. He also investigated how the attackers remained unnoticed for nearly a year.
The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule calls for all HIPAA-covered entities to employ administrative, technical and physical safeguards to secure the confidentiality, availability and integrity of protected health information (PHI). The investigators confirmed that Premera Health committed a HIPAA violation because it was unable to satisfy the minimum requirements for security.
The issue was not just a simple oversight as Premera Health received repeated information from its own auditors about the inadequacy of its security program. They made no correction to address the vulnerabilities and lower the risks of a data breach.
New Jersey Attorney General Gurbir S. Grewal stated that all companies, especially those that manage sensitive health data, are expected to keep their customers’ data secure and to respond appropriately to a breach. This settlement demonstrates that companies will be held responsible if they fall short and could face financial penalties besides being required to upgrade their systems to prevent future breaches.
Besides the fine, Premera Blue Cross needs to employ more security controls to make sure that plan members’ electronic PHI are protected. There will be yearly cybersecurity reviews to be done by a third-party cybersecurity professional and the attoneys general must get the data security reports.
Premera Blue Cross should also seek the services of a CISO with expertise in HIPAA compliance and data security. The CISO will be in charge of the implementation of Premera Health’s security plan. The CISO must be present at the executive management regular meetings and must consult the CEO at least once in two months. The CISO must also report network breaches in 48 hours after discovery.
Premera Blue Cross had a lot of expenses in four weeks. Included was last month’s $74 million settlement fee, which Premera Blue Cross agreed to pay to resolve a class action lawsuit that plan members affected by the breach filed against the company.