$74 Million Settlement of Premera Breach Lawsuits ProposedIn Addition to Settling With Victims, Heath Insurer Would Invest in Security Measures
A proposed $74 million settlement of a consolidated class action lawsuit against Premera Blue Cross after a 2014 data breach that affected nearly 11 million individuals includes $32 million for breach victims and related legal costs and also would require the health insurer to invest $42 million to bolster data security.
The proposed agreement, which was filed in federal court in Oregon on Friday, would settle a class action lawsuit that consolidated more than 40 lawsuits filed after the data breach was revealed in March 2015 by the Seattle-based insurer. It awaits court approval.
Settlement documents note that the breach stemmed from a May 2014 cyberattack believed to have been perpetrated by an "advanced persistent threat group originating from China."
Court documents note that the consolidated class action "alleges that due to Premera's practices, cyberattackers were able to gain access to the personal information of 10.6 million individuals," including names, dates of birth, Social Security numbers, names of employers and other protected health information.
Some legal experts say that although most data breach lawsuits are tossed out of court, certain companies consider settlements in large, high-profile data breach cases for a number of reasons, including the expense of time-consuming litigation fights.
Terms of Settlement
Under the proposed settlement, Premera would:
- Fund two years of credit monitoring and identity theft insurance for those whose data was exposed in the breach;
- Provide cash payments for reimbursement of certain documented out-of-pocket losses as well as time spent addressing or remedying issues plausibly traceable to the security incident;
- Pay up to $50 as alternative settlement compensation to those who do not make claims for out-of-pocket losses;
- Pay up to $50 as compensation under the California Confidentiality of Medical Information Act for victims who live in California;
- Cover costs of the settlement administration, court-approved attorneys' fees and expenses, and potential $5,000 "services awards" for about 20 plaintiffs named in the lawsuit "for their time, effort, and risk in connection with the [legal] action."
Premera has also agreed to spend at least $42 million over the next three years on enhanced data security measures. Those include taking action to:
- Encrypt sensitive data, such as member names and Social Security numbers.
- Implement and maintain two-factor authentication for remote access to Premera's environment by affiliate or vendor personnel;
- During vendor security assessments, require business record documentation that demonstrates that the vendor deploys two-factor authentication for remote access to the internal Premera network by personnel of the affiliate or vendors;
- Perform network monitoring, including detection of anomalous data extraction and alerting and investigating all such anomalies.
- Undertake an annual IT security audit using the current HITRUST Common Security Framework;
- Archive all claims data from Blue Card health plan applications that have not been accessed within a three-year period in a separate, secured, logically air-gapped environment, and protect those claims by using dedicated servers and whole disk encrypted drives.
Premera CIO Comments
In a statement Mark Gregory, Premera's executive vice president and CIO, says the company is "pleased to be putting this litigation behind us and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack"
Premera has worked closely with state and federal regulators and their information security experts, he says. And the insurer recently achieved HITRUST certification, he adds.
Most data breach lawsuits are dismissed by the courts. "But there are any number of factors that could make it attractive for a large healthcare insurer to settle a class action in which consumers claimed they were harmed by the unauthorized disclosure of the personally identifiable information through a cyberattack," says privacy attorney David Holtzman of security consultancy CynergisTek.
"Often, organizations and their cybersecurity insurance carriers will balance the cost of a settlement against the expense and burden to the day-to-day operation of the company from mounting a legal defense against a class-action lawsuit potentially involving millions of consumers," he notes.
Factors that organizations and plaintiff's lawyers must weigh when deciding whether to settle a breach-related lawsuit include the degree to which consumers can demonstrate they suffered actual harm from the disclosure of their personally identifiable information; evidence that the organization had not put reasonable information security controls in place, contributing to the severity of the breach; and whether insurance can cover some or all of the cost that would be paid in a settlement, Holtzman says.
Technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C, says the proposed Premera settlement "from the affected individual's perspective [appears] better than what we've seen in the past. The settlement amount is at once a bit on the low side, but the definition of losses has been expanded, and the types of covered triggering incidents are both expanded and better defined."
Earlier Settlement in Anthem Case
Last year, in another breach-related lawsuit against a health insurer, a California federal court approved a $115 million settlement in the consolidated class action lawsuit against Anthem, which in 2015 revealed a major cyberattack that affected nearly 80 million individuals (see: Judge Approved Final $115 Million Anthem Settlement).
Most of the money in that settlement - which was the result of a consolidation of more than 100 lawsuits filed against Anthem - was slated to fund two more years of credit monitoring and fraud resolution services for victims. About 13 percent of the fund has been reserved for cash reimbursements for any victims who paid out of pocket for security monitoring services.
As part of that settlement, Anthem must nearly triple its cybersecurity budget, according to court documents in that case.
In May, two Chinese men were indicted on charges related to the Anthem cyberattack, as well as attacks against three other U.S. companies (see: Chinese Men Charged in Hacking of Health Insurer Anthem).