Attorney General Yost announces multistate data breach settlement with Premera


Dark computer

Ohio Attorney General Dave Yost recently announced a multistate settlement that will require health insurance company Premera Blue Cross to pay $10 million following a breach of protected health information (PHI). According to the settlement, Premera failed to meet its requirements under the Health Insurance Portability and Accountability Act (HIPAA) and violated Ohio’s Consumer Sales Practice Act. 

The 30 states involved in the settlement claimed Premera’s inadequate data security exposed the PHI of more than 10.4 million individuals, including 52,677 people in Ohio. Specifically, Premera’s cybersecurity vulnerabilities gave a hacker unrestricted access to PHI across a 10-month period in 2014 and 2015. The sensitive personal information the hacker accessed was comprehensive and included private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

The cybersecurity vulnerabilities that gave access to the PHI resulted from multiple known weaknesses in Premera’s data security. Premera had been repeatedly warned by its own auditors that its security program was inadequate but failed to make any changes to correct the known weaknesses. After the breach was discovered and became public, Premera call center agents allegedly misled affected individuals by stating that there was no reason to believe that their personal information was accessed or misused.    

Under the settlement, Premera will also be required to implement new specific security controls, hire a chief information security officer, annually review its security practices and provide data security updates to the various attorneys general. The $10-million settlement is in addition to the $74 million Premera agreed to pay to settle a federal class action lawsuit over the data breach.

Industries & Practices

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.