Premera Blue Cross
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Premera Blue Cross, a major health insurance provider in the Pacific Northwest, experienced a significant data breach that began in May 2014 and went undetected for nearly nine months. The breach was initiated through a phishing email sent to a Premera employee, which led to the installation of malware that allowed hackers to access Premera’s server. This cyberattack exposed the personal and medical information of over 10.4 million individuals, including names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information[2][6][21].
The breach affected not only Premera Blue Cross but also Premera Blue Cross Blue Shield of Alaska and its affiliated companies, Vivacity and Connexion Insurance Solutions, Inc., impacting millions of individuals in Washington, Oregon, and Alaska[3]. The Federal Bureau of Investigation (FBI) worked with Mandiant, a cybersecurity firm, to investigate the attack[3]. The breach’s discovery led to significant legal and financial consequences for Premera.
Premera agreed to pay $6.85 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the breach, marking the second-largest payment to resolve a HIPAA investigation in history[1][6][7][21]. Additionally, Premera settled a class-action lawsuit over the data breach, agreeing to pay $74 million, with $32 million allocated for damages and $42 million for improving data security[2]. This settlement also provided up to $10,000 to each class member who could show proven out-of-pocket damages traced to the data breach, along with two years of credit monitoring and insurance services for those affected[2].
Furthermore, Premera faced a multistate settlement requiring the company to pay $10 million for failing to secure sensitive consumer data. This settlement was led by Washington Attorney General Bob Ferguson and involved a coalition of 30 states[17][18][22][23]. Washington state received $5.4 million of the total recovery, which would go towards continued enforcement of state data security and privacy laws[17][18].
The breach highlighted significant deficiencies in Premera’s information technology and security practices. Internal and external audits before the breach had identified “persistent significant deficiencies,” particularly in the company’s ability to identify unauthorized access[2]. It was also found that Premera invested well below the healthcare industry average in security as a percentage of IT spending, often denying or underfunding requests for security-related items[2].
In response to the breach and its aftermath, Premera has taken steps to enhance its cybersecurity measures, including implementing a corrective action plan as part of the settlement with the Office for Civil Rights at the U.S. Department of Health and Human Services[6][21]. This plan includes conducting an enterprise-wide risk analysis and implementing risk management and audit controls to prevent future breaches[6][21].
Citations:
- https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/premera/index.html
- https://www.govtech.com/security/premera-blue-cross-to-pay-74m-over-data-breach.html
- https://www.atg.wa.gov/news/news-releases/major-data-breach-premera-blue-cross-affects-millions-washingtonians
- https://www.premera.com/visitor/health-data/privacy
- https://www.atg.wa.gov
- https://www.healthcareitnews.com/news/premera-blue-cross-pay-685m-settle-massive-2015-breach
- https://public3.pagefreezer.com/content/HHS.gov/31-12-2020T08:51/https:/www.hhs.gov/about/news/2020/09/25/health-insurer-pays-6-85-million-settle-data-breach-affecting-over-10-4-million-people.html
- https://www.ohioattorneygeneral.gov/Media/News-Releases/July-2019/AG-Yost-Announces-Multistate-Data-Breach-Settlemen
- https://www.careersinfosecurity.com/premera-blue-cross-slapped-68-million-hipaa-fine-a-15067
- https://seattle.broadway.com/subscriptions/
- https://www.fiercehealthcare.com/tech/premera-blue-cross-to-pay-6-9m-to-hhs-for-2014-data-breach
- https://casetext.com/case/in-re-premera-blue-cross-customer-data-sec-breach-litig-7
- https://www.premera.com/wa/visitor/healthsource/community/premera-cyberattack/
- https://komonews.com/news/consumer/that-post-card-in-the-mail-about-money-from-a-premera-blue-cross-breach-settlement-is-real
- https://www.trendmicro.com/vinfo/fr/security/news/cyber-attacks/premera-blue-cross-data-breach-exposes-11m-patient-records
- https://law.alaska.gov/press/releases/2019/071119-Premera.html
- https://www.krem.com/article/news/premera-blue-cross-will-pay-millions-in-fines-where-is-that-money-going/293-68988d7b-f61f-4b4e-94e0-3361b298c3e2
- https://www.atg.wa.gov/news/news-releases/attorney-general-ferguson-s-investigation-premera-data-breach-results-premera
- https://app.ediscoveryassistant.com/case_law/21215-in-re-premera-blue-cross-customer-data-sec-breach-litig
- https://www.king5.com/article/news/local/premera-blue-cross-to-pay-states-10-million-over-2014-data-breach/281-931f7966-d984-4bfc-add5-c54b0d59680d
- https://www.hipaajournal.com/ocr-imposes-2nd-largest-ever-hipaa-penalty-of-6-85-million-on-premera-blue-cross/
- https://www.fiercehealthcare.com/tech/premera-blue-cross-to-pay-10m-to-30-states-over-2014-data-breach
- https://apnews.com/general-news-2d4e18387f2d4230ad6cb4d4e1954f20