July 11, 2019
Carson City, NV – Today, Nevada Attorney General Aaron D. Ford and 29 other attorneys general filed a settlement today that requires Premera Blue Cross, the largest health insurance company in the Pacific Northwest, to pay $10 million to resolve claims about its failure to secure sensitive consumer data. Premera’s insufficient data security exposed the protected health information and personal information of more than 10.4 million consumers nationwide, including 49,529 Nevada consumers.
From May 5, 2014 until March 6, 2015, a hacker had unauthorized access to the Premera network containing sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses. A coalition of 30 states investigated Premera’s cybersecurity vulnerabilities and found the hacker took advantage of multiple known weaknesses in Premera’s data security. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.
“Despite years of warnings, this company recklessly exposed some of the most sensitive consumer information,” said AG Ford. “This settlement not only gets justice for Nevada, but also puts everyone on notice that we are serious about data privacy and we will aggressively act to protect consumer information.”
In addition to Premera’s failure to comply with state laws governing security of personal information, today’s complaint is notable because the attorneys general also held Premera accountable for its obligations under the federal Health Insurance Portability and Accountability Act. The complaint also alleges that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. They also misled consumers about the security measures in place, even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.
In addition to payment of $10 million total to the states, Premera is also required under the settlement to implement specific data security controls intended to protect personal health information, annually review its security practices, and provide data security reports to the attorneys general.
In addition to Nevada, today’s multistate settlement against Premera includes Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.
Senior Deputies Lucas Tucker and Laura Tucker in the Bureau of Consumer Protection represented the Nevada Attorney General in this matter.
A copy of the complaint can be found here and a copy of the Final Judgment and Consent Decree can be found here.