Per the settlement, which was filed July 11, Premera will pay Washington state $5.4 million and the rest to the other 29 states. Premera has also agreed to implement new data security controls to protect health information, perform regular security reporting and hire a chief information security officer.
The states argued that auditors had alerted Premera about the vulnerabilities in its systems; however, the health insurer failed to fix them, the lawsuit said. States also argued that Premera violated HIPAA.
Between May 2014 and March 2015 patients’ health information was vulnerable to hackers.
This settlement comes after Premera agreed to spend $74 million to settle a federal class-action lawsuit on behalf of its customers.
“We are pleased to have reached an agreement with state attorneys general to resolve legal inquiries into the 2014 cyberattack on our data network,” Premera spokesperson Dani Chung told GeekWire in an email statement. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal customer information.”
More articles on cybersecurity:
Phishing attack exposes nearly 15,000 LA County health patients’ information
Hospital CFOs are stepping into cybersecurity roles
US warns against Microsoft Outlook vulnerability
