On January 29, 2015, Premera Blue Cross revealed they were
the victims of a cyber attack, making
vulnerable the records of 11 million Premera customers. Included in this number
of affected are Premera’s policyholders,
as well as individuals who do business with Premera and provide such information
as email addresses, personal bank accounts, or social security numbers. Premera
released a statement confirming the
incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska,
and their affiliate brands Vivacity and Connexion Insurance Solutions, Inc.
While the breach was reported on January 29th, Premera discovered the hackers
succeeded in their initial breach as early as May 5, 2014, revealing 8 months
of undetected access to
customer information.
At stake in the breach are not only the vast amounts of claims data, including
social security and bank account numbers, but also medical records and clinical
information. Health care security expert, Dave Kennedy explains the danger:
“Medical records paint a really personal picture of somebody’s life and medical
procedures; they allow you to perpetrate really in-depth medical fraud.” Steven
Teppler, plaintiff’s lawyer in Cossey et al. v. Premera Blue Cross, reaffirms
the gravity of the hacking. He illustrates how personal
health information represents “a mother load of immense permanent
value” to data thieves, which can be “sold and resold and result in a future
for the victim that virtually guarantees identity compromise and resultant
damage, both financial and reputational for years to come.” While Premera
assures they have no evidence of the breached data being used inappropriately,
litigation has already been initiated in response to the incident.
On March 26, Weitz & Luxenberg P.C. (W&L) announced
they were filing a class action
lawsuit against Premera on behalf of policyholders who lost
sensitive, private information as result of the data breach. W&L has
extended potential eligibility for representation to those policyholders who
contracted with Premera during or
after 2002, as this is the farthest date the hackers are known to
have reached. W&L alleges Premera failed to reasonably safeguard the
confidential data and protect the
victimized policyholders after the hacking. They explain the breach
has been made “especially egregious” by the fact the policyholders were not
informed of the breach until 6 weeks after it had happened. Robin L. Greenwald,
the head attorney of W&L litigation, reveals that Premera knew its system
was especially vulnerable to cyber attack, as the federal government had
informed them of its inadequacy a year prior. Greenwald says litigation is an
“important step in holding [Premera] accountable”
for failing to keep secure its information and prevent further harm upon
knowledge of the breach.
As of April 2015, Premera is facing five
different lawsuits filed in the District Court of Seattle,
Washington. The complaints
allege breach of contract, unjust enrichment, negligence, violation of HIPAA,
actionable misrepresentation, failure to timely disclose the breach, and other
infractions. Among these are the charges for Washington’s state class, where
the largest number of policyholders
of Premera Blue Cross reside: violation of Washington’s Data Disclosure law,
RCW 19.255.010, which states disclosures of a data breach involving such
information as social security numbers, account numbers, and other personal
information, must be made in the most expedient time possible and without
delay; and violation of Washington’s Consumer Protection Act, RCW 19.86, which
asserts that Premera’s failure to protect its consumers’ information
constitutes an unfair action under the Act. Lawsuits demand that Premera be
held financially responsible for the losses their customers will suffer, as
well as damages for negligently permitting the breach to occur.
In a message from Premera’s
President and CEO, Jeff Roe, he announced that customers whose
information has been removed from the system were notified via mail since March
17, 2015, and two years of free credit monitoring and identity protection
services will be made available to them. Roe’s message stresses that “[Premera] want[s] to make
this event our burden, not yours, by making services available to protect you
and your information moving forward.” While these steps for damage control are
underway, Premera Blue Cross is far from escaping liability. The FBI
is continuing to investigate the Premera breach, but does confirm “cybercrime
remains a significant threat.” In his commentary of Premera’s breach in tandem
with Anthem’s recent security breach, Kennedy urges the threat is still high
for abuse of the hacked information. As experts expect other health care
companies will be prompted to scour their own systems for intrusions, Kennedy believes
those intrusions
already exist and will be found. With the nature of the Premera breach being so
critical and personal, insurance companies everywhere should be taking significant
steps to not only ensure future cyber attacks will be unsuccessful, but that
breaches already underway can be halted and reversed.
Sarah Balas is a current 2L at DePaul University
College of Law. Ms. Balas would like to focus her career on Health Compliance
or Health Law after graduation.