More than 270,000 Idahoans were affected by the 2014-2015 breach

(Boise) — Idaho Attorney General Lawrence Wasden and 29 other state attorneys general reached a settlement today that requires Premera Blue Cross, the largest health insurance company in the Pacific Northwest, to pay $10 million over its failure to secure sensitive consumer data. Premera’s insufficient data security exposed health and other personal information of more than 270,000 Idahoans and 10.4 million consumers nationwide.

Idaho’s share of the settlement totals $240,000 which, by law, will be deposited into the state’s Consumer Protection Fund. Any payments and redress to individuals harmed are being addressed in a proposed class action settlement in a federal court action in Oregon.

“Despite repeated warnings about shortcomings in their systems, the company did not take the necessary steps to resolve those issues,” Wasden said. “As a result, sensitive information was compromised. This settlement forces the company to take responsibility for sitting on its hands and ensures this won’t be the case again.”

An investigation revealed Premera’s cybersecurity vulnerabilities gave a hacker unrestricted access to protected health information for almost a year. From May 5, 2014, until March 6, 2015, the hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.

The complaint asserts that Premera misled consumers about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” despite the previous warnings over the company’s vulnerabilities.

Today’s settlement also requires Premera to:

  • Ensure its data security program protects personal health information as required by law.
  • Regularly assess and update its security measures.
  • Provide the states with data security reports, completed by a third-party security expert.
  • Hire a chief information security officer experienced in data security and HIPAA compliance.

Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.