Rutledge Obtains Settlement from Health Insurer, Premera, Over Failure to Protect Sensitive Data of Millions of Consumers
July 11, 2019
“Visiting your health provider should not result in a loss of privacy”
LITTLE ROCK – Arkansas Attorney General Leslie Rutledge today filed a settlement requiring Premera Blue Cross to implement safeguards to protect sensitive consumer information and to pay $57,244.33 to the State of Arkansas over its failure to secure sensitive consumer data, a violation of the Personal Information Protection Act. Premera’s insufficient data security exposed highly sensitive health and personal information of nearly 20,000 Arkansans and more than 10.4 million consumers nationwide. Rutledge was joined in the suit and settlement with 29 other state attorneys general.
“Whether you are sick or just getting a check-up, visiting your health provider should not result in a loss of privacy regarding personal information,” said Attorney General Rutledge. “Premera misled Arkansans into believing that their personal information was secure.”
From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information including: private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses. The hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.
Under the Health Insurance Portability and Accountability Act (HIPAA), which governs health insurers, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information.
Today’s settlement also requires Premera to:
- Ensure its data security program protects personal health information as required by law.
- Regularly assess and update its security measures.
- Provide data security reports, completed by a third-party security expert approved by Attorney General Rutledge and the attorneys general of other states participating in the settlement.
- Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
- Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
Today’s multistate settlement against Premera also includes Alabama, Alaska, Arizona, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington.