New Jersey and 29 other states unveiled a $10 million settlement today with health insurer Premera Blue Cross Blue Shield over a data breach between 2014 and 2015 which exposed the information of more than 10 million customers nationwide, including social security numbers.
The Garden State, where 40,000 residents were affected by the data breach, will receive a $72,168 slice of the settlement, according to the July 11 announcement from the office of New Jersey Attorney General Gurbir Grewal.
Premera will also agree to beef up its cybersecurity measures and privacy protection, Grewal said Thursday. “We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” he said in a prepared statement.
“As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers,” Grewal added.
In addition to social security numbers, hackers also got a hold of private health information that is protected under federal privacy laws – known as the Health Insurance Portability and Accountability Act or HIPPA – according to Grewal.
Premera will have to implement specific security controls to protect that kind of information, annually review its security practices and keep the state attorneys general in loop with data security reports.
“We are pleased to have reached an agreement with state attorneys general to resolve legal inquiries into the 2014 cyberattack on our data network. The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information,” Premera spokesperson Dani Chung told NJBIZ. “Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015.
“It is important to note that independent investigators have made no determination that any customer information was removed from Premera’s systems,” Chung added.