ANCHORAGE, (KTUU) - Premera Blue Cross will pay Alaska approximately $467,000 and a total of $10 million among 30 states over its failure to secure sensitive consumer data.
In a press release from the Alaska attorney general’s office, from May 5, 2014, until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses. The breach exposed the information of more than 10.4 million customers across the country.
The release also states that for years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.
"In this electronic age, we all need to be vigilant about cybersecurity and that includes companies like Premera who hold sensitive personal and financial information from consumers," said Alaska Attorney General Kevin Clarkson. "It would be one thing if Premera had quickly notified individuals or tried to improve its security measures when it was alerted to the issues. Instead, Premera continued to downplay the harm and tried to convince consumers their information was still safe. This is unacceptable."
As part of the settlement, Premera will pay $10 million total to the states. The company is also required to implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general.
Premera’s $10 million payment to the states is in addition to any payment from the proposed class action settlement, which was filed in federal court in Oregon but not yet finalized by the court.
On top of the above requirements, the health insurance company must also hire a chief information security officer, a separate position from the chief information officer. Also, the new chief information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
Copyright 2019 KTUU. All rights reserved.