Premera Blue Cross, the largest health insurer in the Pacific Northwest, has agreed to pay $10 million to 30 states following an investigation into a data breach that exposed confidential information on more than 10 million people across the country.
The settlement, negotiated with the Washington attorney general's office and filed in state court Thursday, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.
The states said auditors had alerted Premera to the vulnerabilities in its system, including that it was slow to install software updates and security patches, but it failed to fix them. They accused Premera of failing to meet its obligations to protect the data under the federal Health Insurance Portability and Accountability Act, known as HIPAA, and Washington's Consumer Protection Act.
"Premera knew they had a problem," said Washington Attorney General Bob Ferguson. "Their own experts told them. They chose to ignore the advice of their own experts."
During the breach, which lasted from May 2014 to March 2015, hackers had access to sensitive data — including medical records, bank account information and Social Security numbers — for 10.4 million people, the majority of them in Washington.
Premera is based in Mountlake Terrace, a north Seattle suburb. Those whose data was exposed include all Premera Blue Cross subscribers from 2002 through early 2015, as well as patients insured through other Blue Cross companies who sought treatment in Washington or Alaska.
Under the settlement, Premera will pay $5.4 million to Washington and the rest to the other states, and it will implement data security controls to protect personal health information, review its security practices yearly and provide data security reports to the attorney general's office.
"The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information," Premera spokeswoman Dani Chung said in an emailed statement. "Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015."
Chung said independent experts had not made a finding that any customer information was removed from Premera's systems, but the federal class-action case alleged that hackers used the private information to open fraudulent accounts, file fraudulent tax returns and steal identities.
The settlement in the federal class-action, which still requires the approval of a judge in Oregon, requires Premera to pay for two years of credit monitoring on behalf of its customers. It also offers them up to $50 — $100 for subscribers in California — plus reimbursement of documented out-of-pocket expenses related to the breach.