Oregon Settles with Health Insurer Premera Over Data Breach

July 11, 2019
• Posted in ,

Oregon Attorney General Ellen Rosenblum and 29 other state Attorneys General have reached a $10 million settlement with Premera Blue Cross, known in Oregon as LifeWise Health Plan of Oregon, over its failure to secure consumer data. Oregon will receive $1.3 million from the settlement.

“It’s horrifying to think that for nearly one entire year, a hacker had access to the sensitive health records and personal data of millions of Americans. Companies must be held accountable for sloppy privacy practices that put the sensitive data of patients at risk,” said Attorney General Rosenblum. “We simply must make it a priority to educate all Americans how to recognize suspicious emails and avoid getting hacked.”

Premera’s insufficient data security exposed the personal information of more than 700,000 Oregonians who were current or former members of the plan. From May 5, 2014-March 6, 2015, a hacker used a “spear phishing” email to gain access to the Premera network containing personal information of over 10 million consumers nationwide, including private health information, names, addresses, phone numbers, dates of birth, Social Security numbers, member identification numbers, bank account information and email addresses.

In the complaint, the Attorneys General alleged that the company failed to meet its obligations under federal and state laws by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to sensitive personal information and protected health information for almost a year. For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned executive management of Premera’s inadequate security program.

Under the Health Insurance Portability and Accountability Act (HIPAA), Premera is required to implement administrative, physical, and technical safeguards that reasonably and appropriately protect sensitive consumer information.

On May 5, 2014, a hacker gained access to the Premera network using a tactic known as “spear-phishing.” The email, disguised as an email from the company’s IT department, came from a misspelled domain name, contained several suspicious misspellings and the wrong physical address for the IT department — common signs of a spear-phishing attempt.

The suspicious email prompted the employee to enter user credentials to download a security update. In reality, the employee unknowingly downloaded malware, a program designed to give the hacker access to the Premera network.

The breach affected the sensitive information of not only current Premera customers, but also former customers, and prospective customers who had applied for Premera’s services, including prospective customers who were denied coverage. It also affected non-members whose claims Premera processed and current and former Premera employees.

In addition to Oregon, the settlement against Premera involves Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Rhode Island, Utah, Vermont, and Washington.

The Oregon Department of Justice (DOJ) is led by Attorney General Ellen Rosenblum, and serves as the state’s law firm. The Oregon DOJ advocates for and protects all Oregonians, especially the most vulnerable, such as children and seniors.