Premera Blue Cross failed to adequately protect its customers' personal information and notify them of a recent data breach in a timely manner, according to the latest class-action lawsuit filed Thursday against the insurer in federal court in Seattle.
The suit is one of at least five class-action suits filed over the breach, said James Bilsborrow, an attorney representing the plaintiffs with law firm Weitz & Luxenberg. Premera announced earlier this month that a May 2014 cyberattack breached a system that contained records for 11 million of its customers.
Several class action lawsuits already have been filed against insurer Anthem, which also suffered a cyberattack disclosed earlier this year that exposed the personal information of 80 million current and former Anthem members.
Premera said in a statement Friday the latest lawsuit was not unexpected because such actions are typical following data breaches. The insurer said it could not comment on pending litigation.
However, in an earlier statement on the insurer's website, Premera President and CEO Jeff Roe said of the attack: “The privacy and security of our members' personal information is a top priority for us. As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward.”
Premera has pledged to provide customers with two years of free credit monitoring and identity theft-protection services, including identity theft insurance.
The lawsuit against Premera was filed on behalf of three plaintiffs from Nevada and Washington. The complaint in the suit alleges Premera “breached its duty to protect and safeguard its customers' personal and health information and take reasonable steps to contain the damage caused where any such information was compromised.”
The insurer's cybersecurity systems were breached just weeks after federal auditors warned Premera that those systems were vulnerable, according to the lawsuit. Premera then exposed customers to even greater risk by waiting six weeks to publicly reveal the breach, the lawsuit alleges.
The insurer still has yet to “fully and accurately” inform all those affected about the breach's consequences for them, according to the lawsuit.
“This is unacceptable,” the complaint states. “In a data breach situation, it is incumbent upon the breached company to provide accurate and complete information to those at risk so they may immediately protect themselves and their families from further harm.”
Washington state law requires companies provide notice as quickly as possible, according to the lawsuit.
The lawsuit also alleges that a recent outbreak of healthcare data breaches should have put Premera on high alert. It references a Community Health Systems hack that exposed the Social Security numbers of 4.5 million customers in 2014, and incidents involving Centura Health in Colorado and St. Joseph Health System in Texas.
“The history of cyber security breaches in the industry, and the warnings that are now all but ubiquitous, have placed companies operating in the industry on notice of the duty to safeguard customers' personal and health information,” according to the lawsuit. “If anything, this history of failure should spur greater efforts to implement top-of-the-line cyber security measures that exceed the industry standard.”
Bilsborrow also said a greater breadth of data was exposed in the Premera breach compared with the Anthem hack. In the Premera cyberattack, clinical information was exposed, raising “the specter of medical blackmail, healthcare discrimination, and more effective information by which to perpetrate fraud,” he said.
Ken Dort, a partner in Drinker Biddle & Reath's Intellectual Property Practice Group in Chicago, said there might be some merit to the plaintiffs' allegation that Premera waited an unnecessarily long time to publicize the breach. But he said it can often be difficult in such cases for plaintiffs to get significant damages.
For example, in a previous case involving AvMed, the insurer agreed, as part of a settlement, to reimburse customers who lost money as a result of their identities being stolen through a data breach. In that case, two laptops containing personal information for more than 1 million customers were stolen. Dort, however, said AvMed didn't have to set aside a great deal of money to reimburse those customers because it can be nearly impossible to show identity theft issues are a direct result of a data breach.
The lawsuit against Premera seeks unspecified damages.
The Premera breach affects Premera Blue Cross, Premera Blue Cross and Blue Shield of Alaska, and affiliate brands Vivacity and Connexion Insurance Solutions, according to Premera. The attack may have exposed applicants' and members' names, birthdays, contact information, Social Security numbers, member identification numbers, bank account information and clinical information.