Premera Blue Cross, the Pacific Northwest’s largest health insurance provider, is paying a $10 million fine to 30 states after getting hacked, putting the personal information of millions at risk.
The settlement, negotiated with the Washington attorney general's office and filed in state court Thursday, comes several weeks after Premera said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.
The states said auditors had alerted Premera to the vulnerabilities in its system, including that it was slow to install software updates and security patches, but it failed to fix them. They accused Premera of failing to meet its obligations to protect the data under the federal Health Insurance Portability and Accountability Act, known as HIPAA, and Washington's Consumer Protection Act.
During the breach, which lasted from May 2014 to March 2015, hackers had access to sensitive data — including medical records, bank account information and Social Security numbers — for 10.4 million people.
The breach impacted 6 million Washingtonians, some of who had Premera accounts that had been canceled years before.
Washington Attorney General Bob Ferguson said Premera Blue Cross made a mistake and the state of Washington will get $5.4 million of the $10 million national settlement.
Hackers accessed personal information from patients around the country. Ferguson said Premera was sloppy with its security.
“If someone hacks into my consumer protection division they can’t hack into the financial part of our operation, it’s segregated,” Ferguson said. “For Premera, it didn’t work that way. So once this hacker got in, they were in.”
As part of the settlement, Premera will also upgrade its security.
"The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information," Premera spokeswoman Dani Chung said in an emailed statement. "Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015."
Customers who had their information hacked may also qualify for payments through a separate class action lawsuit.