Blue Cross Data Breach

On January 29, 2015, Premera Blue Cross revealed they were the victims of a cyber attack, making vulnerable the records of 11 million Premera customers. Included in this number of affected are Premera’s policyholders, as well as individuals who do business with Premera and provide such information as email addresses, personal bank accounts, or social security numbers. Premera released a statement confirming the incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and their affiliate brands Vivacity and Connexion Insurance Solutions, Inc. While the breach was reported on January 29th, Premera discovered the hackers succeeded in their initial breach as early as May 5, 2014, revealing 8 months of undetected access to customer information.

At stake in the breach are not only the vast amounts of claims data, including social security and bank account numbers, but also medical records and clinical information. Health care security expert, Dave Kennedy explains the danger: “Medical records paint a really personal picture of somebody’s life and medical procedures; they allow you to perpetrate really in-depth medical fraud.” Steven Teppler, plaintiff’s lawyer in Cossey et al. v. Premera Blue Cross, reaffirms the gravity of the hacking. He illustrates how personal health information represents “a mother load of immense permanent value” to data thieves, which can be “sold and resold and result in a future for the victim that virtually guarantees identity compromise and resultant damage, both financial and reputational for years to come.” While Premera assures they have no evidence of the breached data being used inappropriately, litigation has already been initiated in response to the incident.

On March 26, Weitz & Luxenberg P.C. (W&L) announced they were filing a class action lawsuit against Premera on behalf of policyholders who lost sensitive, private information as result of the data breach. W&L has extended potential eligibility for representation to those policyholders who contracted with Premera during or after 2002, as this is the farthest date the hackers are known to have reached. W&L alleges Premera failed to reasonably safeguard the confidential data and protect the victimized policyholders after the hacking. They explain the breach has been made “especially egregious” by the fact the policyholders were not informed of the breach until 6 weeks after it had happened. Robin L. Greenwald, the head attorney of W&L litigation, reveals that Premera knew its system was especially vulnerable to cyber attack, as the federal government had informed them of its inadequacy a year prior. Greenwald says litigation is an “important step in holding [Premera] accountable” for failing to keep secure its information and prevent further harm upon knowledge of the breach.

As of April 2015, Premera is facing five different lawsuits filed in the District Court of Seattle, Washington. The complaints allege breach of contract, unjust enrichment, negligence, violation of HIPAA, actionable misrepresentation, failure to timely disclose the breach, and other infractions. Among these are the charges for Washington’s state class, where the largest number of policyholders of Premera Blue Cross reside: violation of Washington’s Data Disclosure law, RCW 19.255.010, which states disclosures of a data breach involving such information as social security numbers, account numbers, and other personal information, must be made in the most expedient time possible and without delay; and violation of Washington’s Consumer Protection Act, RCW 19.86, which asserts that Premera’s failure to protect its consumers’ information constitutes an unfair action under the Act. Lawsuits demand that Premera be held financially responsible for the losses their customers will suffer, as well as damages for negligently permitting the breach to occur.

In a message from Premera’s President and CEO, Jeff Roe, he announced that customers whose information has been removed from the system were notified via mail since March 17, 2015, and two years of free credit monitoring and identity protection services will be made available to them. Roe’s message stresses that “[Premera] want[s] to make this event our burden, not yours, by making services available to protect you and your information moving forward.” While these steps for damage control are underway, Premera Blue Cross is far from escaping liability. The FBI is continuing to investigate the Premera breach, but does confirm “cybercrime remains a significant threat.” In his commentary of Premera’s breach in tandem with Anthem’s recent security breach, Kennedy urges the threat is still high for abuse of the hacked information. As experts expect other health care companies will be prompted to scour their own systems for intrusions, Kennedy believes those intrusions already exist and will be found. With the nature of the Premera breach being so critical and personal, insurance companies everywhere should be taking significant steps to not only ensure future cyber attacks will be unsuccessful, but that breaches already underway can be halted and reversed.

Sarah Balas is a current 2L at DePaul University College of Law. Ms. Balas would like to focus her career on Health Compliance or Health Law after graduation.