Attorney General Andy Beshear announced today that he will send more than $50,000 to the state’s general fund following a multistate settlement with Premera Blue Cross over its failure to secure the sensitive data of nearly 38,000 Kentuckians.
In total, 30 attorneys general participated in the settlement, which requires the not-for-profit Blue Cross Blue Shield-licensed health insurance company to compensate the states and better protect health and personal information by implementing stronger data security procedures.
In 2015, the attorneys general began investigating Premera’s cybersecurity vulnerabilities, concluding that insufficient data security exposed data, including private health information, of more than 10.4 million consumers nationwide to a hacker for nearly a year.
Beshear said while Premera is not licensed nor does it operate in Kentucky, Kentuckians were impacted if they worked for a company that received benefit services through Premera or traveled to a state where Premera provided or processed health insurance services.
“Today’s settlement is a big win for Kentuckians who want to see companies held responsible for their actions or, in this case, lack of action,” said Beshear. “Not only has Premera paid for exposing the personal health information of thousands of Kentuckians, we made them get to work to correct their mistakes and now they are required to have stronger data security controls.”
Premera will also be required to hire additional staff to help improve data security, annually review its security practices and provide data security reports to the attorneys general.
In the complaint, Beshear asserted that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated the state consumer protection act by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information.
From May 5, 2014, until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including personal health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.
The hacker took advantage of multiple known weaknesses in Premera’s data security. Years before the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without changing its practices.
The complaint claims that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities before the breach.
In total, Premera will pay $10 million to 30 states. Payments to each state are based on several factors including the number of impacted residents.
Thursday’s settlement is in addition to any payment from a proposed class-action settlement that was filed in federal court in Oregon but is not yet final.
Beshear has worked to hold accountable companies that failed to prevent data breaches.
In May, Beshear announced the state’s general fund would receive more than $25,000 following the court’s approval of a consent judgment, negotiated by 16 attorneys general and the health records companies involved in the breach – Medical Informatics Engineering, Inc. and NoMoreClipboard LLC. That 2015 data breach allegedly compromised the data of 69,000 Kentuckians, including 33,000 Social Security numbers.
Settlements and civil litigation from Beshear’s consumer protection efforts have returned over $16 million to the Commonwealth’s general fund.
These actions have yielded restitution that could exceed more than $95 million, representing amounts paid to consumers or amounts Kentuckians are eligible to receive, and the value of credits, student loan debt relief and warranty extensions made available to Kentuckians.
If Kentuckians believe their personal information has been compromised, Beshear urges them to contact his office at 502-696-5300 to report identity theft and seek guidance on how to apply for fraud alerts and credit freezes.