Attorneys General Reach $10 Million Settlement with Premera Blue Cross in Data Breach Investigation

PHOENIX -- Attorney General Mark Brnovich, along with his counterparts in 29 other states, today announced a $10 million settlement with health insurer Premera Blue Cross.  The settlement resolves a multistate investigation relating to the company’s 2014/15 data breach, which exposed the protected health information and other personal information of more than 10.4 million consumers nationwide.

“Companies that collect and maintain sensitive personal information, particularly sensitive health information, must take steps to ensure the security and privacy of that information,” said Attorney General Brnovich.  “When they fail to do so, they violate the trust we place in them, and my office will continue to hold them accountable.”

Premera is the largest health insurance company in the Pacific Northwest.  As a health insurance provider, Premera is subject to the privacy and security requirements of the federal Health Insurance Portability and Accountability Act (HIPAA). However, as alleged in the complaint underlying today’s settlement, Premera repeatedly failed to comply with those requirements, leaving millions of consumers’ sensitive data vulnerable to hackers for nearly a year.  The complaint also alleged that Premera violated the Arizona Consumer Fraud Act by failing to implement reasonable security procedures and practices to protect the sensitive information of Arizona residents.

More specifically, the complaint alleges that from May 5, 2014, until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers, and email addresses. To gain such access, the hacker took advantage of multiple weaknesses in the company’s data-security practices, of which Premera had been warned repeatedly by cybersecurity experts and even its own auditors.

Today’s settlement will require Premera to:

  • Ensure its data security program protects personal health information as required by law;
  • Regularly assess and update its security measures; and
  • Hire a Chief Information Security Officer (CISO), who will be responsible for:
    • implementing, maintaining, and monitoring the company’s security program;
    • meeting regularly with the company’s executive management; and
    • informing the company’s CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

Under the settlement, Premera also will pay a total of $10 million to the 30 states involved in the multistate investigation. Arizona will receive $154,885.52.  The funds will be deposited into the Attorney General's consumer-protection revolving fund. This payment to the states is independent of any consumer relief that might be obtained in the separate, private class-action that has been filed against Premera and remains pending in the federal court for the District of Oregon.

For Arizona, this matter was handled by Assistant Attorney General John Gray.

Copy of the complaint against Premera, a copy of the consent judgment will be available upon entry by the court.

If you believe you have been the victim of consumer fraud, please contact the Attorney General’s Office in Phoenix at (602) 542-5763, in Tucson at (520) 628-6648, or outside the metro areas at (800) 352-8431. Bilingual consumer protection staff is available to assist. Consumers can also file complaints online.