Premera Blue Cross to pay $10 million to 30 states, including New Jersey, after data breach

Premera Blue Cross Blue Shield, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states, including New Jersey, after an investigation into a data breach that exposed the personal information of more than 10 million people.

The states claimed Premera’s inadequate security measures left its computer network exposed to a hacker who accessed Social Security numbers and sensitive health data of customers for ten months in 2014 and 2015. The data breach affected 10.4 million people, including 40,000 New Jersey residents, according to the state Attorney General’s office.

Under the settlement, Premera must pay $10 million, including more than $72,000 to New Jersey. The insurer must also implement specific data security controls, annually review its security practices, provide reports to state attorneys general, and hire a chief security information officer.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” New Jersey Attorney General Gurbir Grewal said in a statement.

Premera spokesperson Dani Chung said the insurer was pleased to reach the agreement and continues to enhance its cybersecurity programs and practices.

“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015,” Chung said in a statement. “It is important to note that independent investigators have made no determination that any customer information was removed from Premera’s systems.”

In May, Premera said it would pay $74 million to settle a federal class action lawsuit over the data breach. The proposed settlement still must be approved by a federal judge in Oregon.

Premera was accused of failing to meet obligations under the federal Health Insurance Portability and Accountability Act and of violating state consumer protection laws by not addressing known cybersecurity vulnerabilities.

___

(c)2019 The Philadelphia Inquirer

Visit The Philadelphia Inquirer at www.inquirer.com

Distributed by Tribune Content Agency, LLC.