Attorney General Jim Hood secured $42,479.50 for the state of Mississippi from a multistate settlement with health insurance company Premera Blue Cross after the company failed to secure sensitive consumer data. General Hood joined 29 other attorneys general in filing the $10 million settlement Thursday, which asserts that Premera exposed the protected health information and personal information of more than 10.4 million people nationwide, including 18,156 Mississippians.
Premera is a Blue Cross Blue Shield insurer based in the state of Washington. The attorneys general investigated Premera’s cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information between May 5, 2014, and March 6, 2015, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses. The complaint asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated the Mississippi Consumer Protection Act by not addressing known cybersecurity vulnerabilities.
“This company failed in its corporate responsibility to protect consumers,” General Hood said. “Living in a digital world is convenient, but it also puts us at great risk of threats, like hackers. We trust that organizations, with whom we share our personal information, will protect it, especially when they are required to do so by law. The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks and failed to change its practices.”
The complaint also asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.
Under HIPAA, Premera is required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hackers for nearly a year.
The settlement requires Premera to:
- Ensure its data security program protects personal health information as required by law
- Regularly assess and update its security measures
- Provide third-party data security reports to the Washington Attorney General’s Office
- Hire a chief information security officer who will work with Premera’s executive management
Premera’s $10 million payment to the states is in addition to any payment to consumers from the proposed private class action settlement in Oregon. Additional information for consumers on how to file a claim is available HERE .
The following states joined Mississippi in the settlement: Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.