Premera Blue Cross to cough up $10 million to 30 states over data breach

Premera Blue Cross has consented to pay $10 million as compensation for a nearly year-long data breach that impacted more than 10.4 million health patients, the Washington state's Attorney General Bob Ferguson announced yesterday.

More than half of those funds, roughly $5.4 million, will be allocated to Washington, and will be applied toward the enforcement of state data security and privacy laws, the AG's office said in a press release. The remainder will be split among 29 other states that formed a coalition and joined Ferguson's legal action.

The $10 million penalty is separate from any additional monies that the Mountlake, Wash.-based health insurance company may have to pony up as the result of an ongoing class-action lawsuit filed in Oregon.

In an official legal complaint filed against Premera on July 11 in Snohomish County Superior Court, the state of Washington asserted that the company's "failure to adequately safeguard personal data permitted unauthorized access to the sensitive information" of millions of consumers (over 6 million in Washington alone). Moreover, it accuses Premere of misrepresenting the "scope and severity 13 of the data breach" after the fact, as well as the "security measures Premera had in place at the time of the breach."

Altogether, about 10.5 million individuals across the country were affected by the breach, which lasted from May 5, 2014 through March 6, 2015.

As part of the terms of the consent decree agreed to by AG Ferguson and Premera, the company must strive to implement a comprehensive information security program for protecting personal health information, with safeguards and controls such as critical asset management, sensitive data mapping and encryption, network segmentation, risk assessments, secure network communications, access controls, endpoint monitoring and more.

The company must also, among other requirements, provide data security reports to the state AG's office, hire a CISO, provide security training to employees who handle sensitive information, and create a compliance program led by a compliance officer.