FORT WAYNE, Ind. (WPTA21) — Indiana and Ohio are getting a payout as a part of a multi-state settlement with a health insurance company that failed to secure sensitive consumer data.
The settlement comes as Premera Blue Cross had sensitive consumer data exposed by a hacker. The complaint says the company neglected to address known cybersecurity vulnerabilities that the hacker took advantage of to access protected health information.
For years before the breach, the complaint says cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without fixing its practices.
After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.”
Wednesday’s settlement requires Premera to:
- Ensure its data security program protects personal health information as required by law.
- Regularly assess and update its security measures.
- Provide data security reports, completed by a third-party security expert approved by the multistate coalition, to the Washington State Attorney General’s Office.
- Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance and will be responsible for implementing, maintaining and monitoring the company’s security program.
- Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.
Additionally, Premera must pay $10 million total to the 30 states involved in the settlement in addition to any amount Premera will be paying as a result of a proposed class action settlement.