Premera Signs $10 Million Breach Settlement With 30 StatesAgreement Follows Proposed $74 Million Settlement of Class Action Lawsuit
(This story has been updated.)
Health insurer Premera Blue Cross has signed a $10 million HIPAA settlement with the attorneys general of 30 states in the wake of a data breach that exposed personal information on more than 10.4 million individuals nationwide.
The settlement tied to a 2014 breach disclosed in 2015 was announced Thursday by Connecticut Attorney General William Tong.
The coalition of 30 state attorneys general, led by Washington State Attorney General Bob Ferguson, investigated Seattle-based Premera's cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for nearly a year, Tong said in a statement.
Under the settlement, the insurer is required to implement specific data security controls intended to safeguard PHI. That includes annually reviewing its security practices and providing data security reports to the attorneys general.
Premera's $10 million payment to the states is in addition to a proposed $74 million class action lawsuit settlement, which was filed in June.
"Premera was repeatedly warned by cybersecurity experts about deficiencies in its security program, yet the company failed to fix its practices," Tong said in the statement.
The multistate settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington.
Under the settlement, Premera must:
- Ensure its data security program protects personal health information as required by law;
- Regularly assess and update its security measures;
- Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington state attorney general's office;
- Hire a CISO experienced in data security and HIPAA compliance who will be responsible for implementing, maintaining and monitoring the company's security program;
- Hold regular meetings between the CISO and Premera's executive management. The CISO must meet with Premera's CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
Premera did not respond to a request for comment.
The Premera settlement with the 30 state attorneys general is the second multistate HIPAA enforcement action.
In May, cloud-based electronic health records vendor Medical Informatics Engineering signed a $900,000 settlement with 16 state attorneys general in a HIPAA violations case stemming from a 2015 data breach.
Under the HITECH Act, states can take civil action against organizations for HIPAA violations. At the federal level, the Department of Health and Human Services' Office for Civil Rights enforces HIPAA.
"I do think it's very likely that we will see more multistate AG enforcement efforts in data privacy and security incidents moving forward, although I do not expect them to become more frequent than settlements with single state attorneys general," says privacy attorney Iliana Peters of the law firm Polsinelli.
Federal and state legislators and regulatory enforcers are taking great interest in ensuring protections for consumers' data, she says.
"The state attorneys general appear to be becoming more comfortable with their enforcement authority under HIPAA, particularly in conjunction with state data privacy and security protections as well," she says.
The recent multistate settlements, Peters says, "indicate a willingness by the state AGs to coordinate on important multistate case. I also believe that coordination on these types of cases takes a significant investment of resources by the state attorneys general, so I will be interested to see how many we see in the future."
Privacy attorney David Holtzman of the security consulting firm CynergisTek offers a similar assessment. "We are seeing a significant increase by state attorneys general investigating cybersecurity incidents in which personally identifiable information is compromised. The AGs are responding to consumers and legislative efforts expanding data privacy protections that hold organizations accountable to put into place safeguards for highly sensitive personal information like health records or financial data," he says.
Lessons to Learn
So, what should other HIPAA covered entities and business associates learn from this settlement?
"The settlement's corrective action plan negotiated by Premera is very tough and thorough, requiring substantial investment in technical and logical information security controls," Holtzman notes. For instance, the settlement requires that the company's leadership take steps to ensure that privacy and security are top priorities baked into Premera's culture, he points out.
"I believe that organizations can look to the Premera agreement as an example of how to fashion a fair agreement with regulators that aims to restore the trust and confidence of consumers in the organization's privacy and information security practices."