[BreachExchange] Premera agrees to $74M settlement for 2014 data breach

Destry Winant destry at riskbasedsecurity.com
Thu Jun 6 09:34:21 EDT 2019


https://www.healthdatamanagement.com/news/premera-agrees-to-74m-settlement-for-2014-data-breach

Five years after hackers accessed the personal information of 10.6
million individuals, parties to a consolidated class action lawsuit
have reached one of the largest healthcare data breach settlements.

Premera Blue Cross has agreed to pay $32 million to resolve the
litigation that was filed in United States District Court for the
District of Oregon, as well as a three-year commitment for a minimum
of $42 million in funding to bolster its information security program.

In May 2014, the health insurer was hit by a cyberattack that
compromised the personal information of 10.6 million individuals,
including names, dates of birth, Social Security numbers and protected
health information. However, Premera did not discover the data breach
until January 2015.

“After several years of hard-fought litigation, we are pleased that
individuals affected by this data breach will receive compensation for
their losses and identity theft protection going forward,” said Kim
Stephens, interim lead counsel for the plaintiffs. “The settlement
also includes extensive and detailed injunctive relief in the form of
substantially reformed and improved information security practices,
designed to protect the class members’ information from future
attacks.”

As part of the settlement, plaintiffs will receive an additional two
years of premium credit monitoring and identity protection services,
out-of-pocket losses, as well as cash payments to all class members
who make a claim.

Further, Premera has agreed to fund six improvements to its
information security program, including:

• Encrypting certain personal information

• Strengthening specified data security controls

• Increased network monitoring and logging of monitored activity

• Annual third-party security audits

• Stronger passwords, reduced employee access to sensitive data, and
enhanced email protections

• Moving certain data into archived databases with strict access controls

“We are pleased to be putting this litigation behind us, and to be
providing additional substantial benefits to individuals whose data
was potentially accessed during the cyberattack,” said Mark Gregory,
Premera’s executive vice president and CIO.

“Premera takes the security of its data and the personal information
of its customers seriously and has worked closely with state and
federal regulators and their information security experts," added
Gregory. "The company recently achieved an industry-leading HITRUST
certification, demonstrating its ability to identify risks, protect
assets, detect attacks, and respond and restore capabilities should
the need arise.”


More information about the BreachExchange mailing list