Judge Gives Go-Ahead for Settlement of Premera Breach CaseHealth Insurer Must Spend $42 Million on Security Enhancements
A federal judge in Oregon has granted preliminary approval for a $74 million settlement of a consolidated class action lawsuit against health insurer Premera Blue Cross stemming from a 2014 data breach that affected 11 million individuals. More money will go to security enhancements than to victim reimbursement.
See Also: API Security: Making Sense of the Market
Under the settlement, Premera agrees to spend $42 million between 2019 and 2022 to bolster its data security. "Improved data security benefits all class members, even if they are no longer insured by Premera or a related Blue Cross entity, because sensitive information remains stored on Premera's servers," U.S. District Judge Michael Simon notes.
Premera will also pay $32 million for a variety of expenses, including at least $10 million to reimburse victims for certain costs, plus the costs of attorney's fees and victim notifications.
What the Victims Get
Under the settlement, Premera will pay:
- Up to $10,000 per class member for reimbursement of proven out-of-pocket damages that can "plausibly be traced" to the data breach, including up to 20 hours of personal time at $20 per hour;
- A default settlement amount of up to $50 for class members who do not have out-of-pocket damages that can plausibly be traced to the data breach;
- Up to an additional $50 for class members who resided in California as of March 17, 2015, for a claim under the state's Confidentiality of Medical Information Act;
- Two years of free credit monitoring and insurance services for class members, who may choose to delay the start of such services for up to two years if the class member already has credit monitoring.
The settlement notes that up to $3.5 million will be set aside for the wholesale purchase of credit monitoring insurance. "If the credit monitoring and insurance services cost less than $3.5 million, the remaining amount will revert to the qualified settlement fund to be distributed to the class members on a pro rata basis or to fund additional credit monitoring services," the settlement notes.
"The case is complex, involving evidence spanning multiple years, technical information regarding computer servers and hackers, state-sponsored hacking versus other types of hacking, medical information, the dark web, and the implications of spoliation of a particular server."
—Judge Michael Simon, U.S. District Court, Oregon
The judge's preliminary settlement order also notes: "The court recognizes that a guarantee of no less than $10 million to be spent on the recovery of a class of potentially 10.6 million people may seem low." But, the judge notes, "it does not appear that the percentage of class members who suffered actual identity theft, and therefore would be eligible for the out-of-pocket reimbursement, is very large."
The judge also notes: "Plaintiffs have several strong arguments regarding the level of data security implemented by Premera, particularly in light of the internal and external audits that occurred before the data breach and the fact that the breach was able to go on for so long without being detected."
A Complex Case
Settlement documents note that the breach stemmed from a May 2014 cyberattack believed to have been perpetrated by an "advanced persistent threat group originating from China." The Seattle-based insurer did not reveal the breach until March 2015.
"Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington's Consumer Protection Act with respect to Premera's provision of data security are relatively strong claims," the judge writes. But the plaintiffs have a weaker case with respect to damages, he says, because "the number of class members who appear to have suffered actual identity theft or out-of-pocket damages that can reasonably be attributed to the data breach appears to be relatively low."
If the case went to trial, the judge writes, "Premera could challenge plaintiffs' contention that their sensitive information actually was exfiltrated and used."
The judge's order notes: "The case is complex, involving evidence spanning multiple years, technical information regarding computer servers and hackers, state-sponsored hacking versus other types of hacking, medical information, the dark web, and the implications of spoliation of a particular server."
During the lawsuit process so far, the parties exchanged 1.5 million pages of documents, the judge notes. "The case has been expensive to litigate, and continuing litigation would be time-consuming and add further expense."
Besides agreeing to pay $74 million to settle its consolidated class action lawsuit involving the data breach, Premera in July signed a $10 million HIPAA settlement with the attorneys general of 30 states in the wake of its data breach (see: Premera Signs $10 Million Breach Settlement with 30 States).
Regulatory scrutiny is a familiar aftermath of most large breaches, notes privacy attorney David Holtzman of the security consultancy CynergisTek.
"Unauthorized disclosures by malicious insiders have been one of the leading causes of breaches reported to the Department of Health and Human Services' Office for Civil Rights each year since the [September 2009] effective date of the HIPAA Breach Notification Rule," he says.
"Today's audit and monitoring technologies that employ behavioral analytics and AI have proven effective in discovering when sensitive data is being accessed inappropriately," he notes.
To help thwart hacker attacks, he says, "healthcare organizations should perform a technical security assessment, including vulnerability scans and penetration testing to ensure their firewall settings are preventing data access through uncontrolled open ports."