Attorney General Yost announces multistate data breach settlement with Premera

Ohio Attorney General Dave Yost recently announced a multistate settlement that will require health insurance company Premera Blue Cross to pay $10 million following a breach of protected health information (PHI). According to the settlement, Premera failed to meet its requirements under the Health Insurance Portability and Accountability Act (HIPAA) and violated Ohio’s Consumer Sales Practice Act. 

The 30 states involved in the settlement claimed Premera’s inadequate data security exposed the PHI of more than 10.4 million individuals, including 52,677 people in Ohio. Specifically, Premera’s cybersecurity vulnerabilities gave a hacker unrestricted access to PHI across a 10-month period in 2014 and 2015. The sensitive personal information the hacker accessed was comprehensive and included private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The cybersecurity vulnerabilities that gave access to the PHI resulted from multiple known weaknesses in Premera’s data security. Premera had been repeatedly warned by its own auditors that its security program was inadequate but failed to make any changes to correct the known weaknesses. After the breach was discovered and became public, Premera call center agents allegedly misled affected individuals by stating that there was no reason to believe that their personal information was accessed or misused.    

Under the settlement, Premera will also be required to implement new specific security controls, hire a chief information security officer, annually review its security practices and provide data security updates to the various attorneys general. The $10-million settlement is in addition to the $74 million Premera agreed to pay to settle a federal class action lawsuit over the data breach.