New Jersey A.G. Grewal Announces Settlement With Premera Blue Cross Over Data Breach
* * *
Company Failed to Fix Known Security Problems that Exposed Personal Data to Hacker; Settlement Requires Premera to Strengthen Data Security, Report to States Annually
* * *
Attorney General
Under terms of the settlement, Premera must pay the states a total of
The investigation found that Premera's inadequate data security exposed to a hacker the protected health information and personal information of more than 10.4 million insureds nationwide. The data breach affected approximately 40,000
"We expect all companies - and particularly those that possess sensitive health information - to protect their customers' data and to respond appropriately in the event of a breach," said Attorney General Grewal. "As today's settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers."
A complaint filed today along with the settlement agreement asserts that Premera failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated state consumer protection laws by not addressing known cybersecurity vulnerabilities.
Separate class action litigation involving the breach resulted in a proposed settlement in
From
In doing so, the hacker took advantage of multiple known weaknesses in Premera's data security.
Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer's sensitive data vulnerable to hacking.
For years prior to the breach, cybersecurity experts and the company's own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without correcting its practices, the multi-state investigation determined.
The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera's call center agents told consumers there was "no reason to believe that any of your information was accessed or misused." They also told consumers that "there were already significant security measures in place to protect your information," even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.
Today's settlement also requires Premera to:
* Ensure its data security program protects personal health information as required by law.
* Regularly assess and update its security measures.
* Provide annual data security reports completed by a third-party security expert approved by the multistate coalition.
* Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance, and will be responsible for implementing, maintaining and monitoring the company's security program.
* Hold regular meetings between the chief information security officer and Premera's executive management. The information security officer must meet with Premera's CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
In addition to
Deputy Attorney General
Sen. Menendez Issues Remarks on Wright’s Confirmation as EPA Assistant Administrator
House Oversight Committee Issues Testimony From Ex-Tennessee Deputy Governor Henry
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News