SACRAMENTO - California Attorney General Xavier Becerra today announced the recovery of over $1 million for California as part of a multistate settlement against health insurer Premera Blue Cross (Premera). The settlement resolves allegations that the health insurer violated state and federal privacy laws arising from a 2014 data breach. The settlement was the result of a multistate investigation and includes $10 million in civil penalties, of which California will receive $1,002,814. It also includes significant injunctive terms requiring Premera to implement reasonable security to protect consumers’ personal and medical information and to maintain a compliance program.
“Consumers who entrust their health information to companies deserve security in return. Companies have a responsibility to protect consumers’ private information, especially sensitive health information,” said Attorney General Becerra. “Premera’s failure to protect the private information of millions of patients is unacceptable. This settlement should send a strong message to companies with loose data privacy practices: it doesn’t pay to cut security corners.”
The settlement stems from a data breach that was publicly announced in March 2015, where the personal information of 10.5 million consumers, including 400,000 Californians, was breached. The data included the consumers’ names, Social Security numbers, bank account information, medical information, and health claims-related data. Attackers gained access to patient data by sending fake, targeted emails to Premera employees. These emails contained malware that allowed the attackers to spend months compromising Premera’s inadequately-secured network.
The multistate investigation found that the company lacked basic data security, failed to monitor its network for malicious activity, and disregarded experts’ warnings of security flaws. In addition, it failed to limit access to sensitive information, allowing employees without business need to access the information.
The settlement resolves allegations that Premera violated each state’s consumer protection and medical information laws, as well as the federal Health Insurance Portability & Accountability Act (HIPAA), which established national standards and safeguards to protect personal health information.