Premera Blue Cross has agreed to settle a data breach lawsuit that was brought against the insurer after a cyberattack in May 2014 exposed 10.6 million patients.
The insurer announced in 2015 that the cyberattack had occurred, prompting the plaintiffs to file a class action lawsuit in the U.S. District Court of Oregon. In the data breach, patients' names, dates of birth, social security numbers and protected health information were exposed.
Premera has agreed to pay $32 million to resolve the lawsuit. The money will pay for patients who file claims to receive two additional years of credit monitoring and identity protection services. Patients who were affected can also file claims for cash payments.
Additionally, Premera has agreed to pay a minimum of $42 million to fund a new information security program over the next three years. The insurer will incorporate these changes:
- Encrypting certain personal information.
- Strengthening specified data security controls.
- Increased network monitoring and logging of monitored activity.
- Annual third-party security audits
- Stronger passwords, reduced employee access to sensitive data and enhanced email protections.
- Moving certain data into archived databases with strict access controls.
"We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack. Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their security experts," Premera's Executive Vice President and CIO Mark Gregory said in a news release.
More articles about health IT:
HHS OIG warns against genetic testing scam
Battle of the coasts: How Boston-based digital health companies compete with Silicon Valley for tech talent
Smaller tech 'tweaks' add up to make a big impact on clinical care