MOUNTLAKE TERRACE — Premera Blue Cross, one of the Pacific Northwest’s largest health insurers, has agreed to pay $10 million for a 2014 data breach that affected some 10 million people nationwide, including more than 6 million Washington residents.
Washington Attorney General Bob Ferguson led an investigation into the health insurer’s security practices and was joined in a legal action by a coalition of 29 state attorneys general.
In a consent decree filed Thursday in Snohomish County Superior Court, the Mountlake Terrace-based health insurance company agreed to pay $10.4 million to state attorneys general in 30 states, including Washington.
Premera agreed to the settlement without admitting fault.
The consent decree satisfies a complaint filed Thursday in Snohomish County Superior Court in which the state attorney general alleged that Premera violated state and federal consumer and health protection regulations by failing to “reasonably safeguard personal health information from any intentional or unintentional use.”
A spokeswoman for Premera Dani Chung said in an email that the agreement is consistent with the company’s “ongoing focus on protecting personal customer information.”
“Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state attorneys general, regulators and their information security experts, since the attack was made public in 2015,” Chung said.
Said Chung,”It is important to note that independent investigators have made no determination that any customer information was removed from Premera’s systems.”
The health insurer will pay $5.4 million to Washington state. The money will be used to uphold enforcement of state data security and privacy laws.
The remainder of nearly $4.6 million will be distributed among a coalition of states, including Alabama, Alaska, California, Connecticut, Nebraska, Oklahoma, Oregon, Rhode Island, Utah and Vermont.
The agreement also requires Premera to beef up data security, hire a chief information security officer and provide annual security reports to the state attorney general’s office.
The data breach potentially put 10.4 million people at risk for identity theft, and bank account and credit fraud, authorities said.
In March 2015, Premera told authorities that an unknown user had “gained unauthorized access to its networks,” the news release said.
From May 5, 2014, until March 6, 2015, the attorney general said, a hacker had unauthorized access to the Premera network, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses, Ferguson said in a news release.
“Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed,” Ferguson said Thursday.
The $10 million payment is separate from a proposed class settlement, which was filed in federal court in Oregon but has not been finalized by the court. Premera recently agreed to pay $74 million to settle the class action.
That proposed class action settlement is intended to provide compensation to affected individuals.
Consumers affected by Premera’s data breach should expect to receive information about restitution after the settlement is approved by the court.