[BreachExchange] 30 States Sign $10M Settlement Agreement With Premera Blue Cross Over Security Breach

Fri Jul 12 10:02:34 EDT 2019

https://www.law.com/ctlawtribune/2019/07/11/30-states-sign-10m-settlement-agreement-with-premera-blue-cross-over-security-breach/?slreturn=20190612100139

A coalition of attorneys general from 30 states, including California,
Connecticut, Florida and New Jersey, reached a $10 million settlement
agreement with Premera Blue Cross over its alleged failure to secure
consumer data.

According to the settlement agreement, Premera’s insufficient data
security gave a hacker access to health and personal information of
more than 10.4 million consumers nationwide.

Washington state, where Premera is headquartered, led the multistate coalition.

Under the settlement, California will get $996,000 for about 400,000
affected residents. Connecticut will receive $52,642 for about 15,000
residents, New Jersey $72,168 for about 40,000 people, and Florida
about $112,000 for 97,000 Floridians whose files were breached.

New York and Texas were among the 20 states that were not part of the
settlement agreement.

The data breach, officials said, occurred from May 2014 to March 2015,
when a hacker breached the Premera network and had access to clients’
Social Security numbers, bank account information, phone numbers and
member identification numbers.

The settlement requires Premera to take several steps. Among them:
ensuring its data security program protects personal health
information, regularly assessing and updating its security measures,
hiring a chief information security office for a separate position
from the chief information officer, and holding regular meetings
between that chief information security officer and the company’s
executive management. The company’s compliance officer must also
develop a process for evaluating risks, determining priorities and
reviewing compliance plans.

“We are pleased to have reached an agreement with state attorneys
general to resolve legal inquiries into the 2014 cyber attack on our
data network,” Premera Blue Cross spokeswoman Dani Chung said in a
statement Thursday. “The commitments we have agreed to are consistent
with our ongoing focus on protecting personal consumer information.”

Connecticut Attorney General William Tong said the settlement requires
the company to implement specific data-security controls to safeguard
consumers’ personal health information.

“Premera was repeatedly warned by cybersecurity experts about
deficiencies in its security program, yet the company failed to fix
its practices,” Tong said.

New Jersey Attorney General Gurbir Grewal suggested the agreement
should prompt corporations to be vigilant against breaches.

“As today’s settlement shows, companies that fall short will be held
accountable, face penalties, and be required to improve their systems
to prevent future harm to even more customers,” he said.

Grewal’s office said separate class action litigation over the breach
resulted in a proposed settlement in June that requires Premera Blue
Cross to make $42 million in cybersecurity upgrades.