Blue Cross insurance will be pay $10M USD fine for data breach

According to reports from information security experts, Premera Blue Cross, the Pacific’s largest insurer, agreed to pay about $10 million in 30 states after a data breach incident was revealed that compromised the more than 10 million people in the U.S.

The company reached an agreement with the Washington Attorney General’s Office; the agreement was filed after Permera paid more than $70M USD to resolve a class action filed by users affected by the incident.

The plaintiffs claim that a group of information security experts had warned the company about serious security vulnerabilities in their systems and their poor update patches policy. The lawsuit accuses the company of not meeting its data protection obligations as set forth in the Federal Health Insurance Portability and Accountability Act (HIPAA).

The Washington attorney general’s office says the company was aware of its security flaws; “The company internal information security staff warned Premera on multiple occasions; apparently, the company decided not to give importance to the advice of their own experts”, added Bob Ferguson, Washington Attorney General.

The data breach remained from May 2014 until its detection in March 2015. According to specialists from the International Institute of Cyber Security (IICS), hackers were able to access confidential information of Premera customers, such as clinical history, bank details, and social security numbers, among others. In total, 1 million 400 thousand customers of the company, mainly inhabitants of the West Coast, were affected.

Premera agreed to pay $5.4 million to Washington State; the rest of the compensation will be shared among the other states involved. According to the experts of the International Cyber Security Institute (IICS), the company also undertook to update its data protection policies, and will also have to submit periodic reports to the relevant authorities.

The agreement still requires the approval of judges from other states, as they require the company to provide two years of credit monitoring and identity fraud protection services to affected users.