Premera Blue Cross settles state data breach investigations for $10 million

The largest health insurance company in the Pacific Northwest says it will pay $10.4 million to 30 states to settle an investigation into a data breach that compromised information on more than 10 million people.

The settlement, entered into court Thursday, requires Premera Blue Cross to pay $5.4 million to Washington to resolve an investigation that determined the company was slow to patch known security vulnerabilities. Hackers had access to customers’ medical records, bank account information and Social Security numbers from May 2014 until May 2015. The remaining $5 million will be split between other states.

The case is the latest example of how, in the absence of federal leadership, state attorneys are taking legal action following large-scale security incidents. Connecticut and Illinois have opened investigations into the breach this year at the American Medical Collection Agency, which affected at least 20 million people. Other state lawsuits have resulted in settlements from Equifax, Uber and others.

This resolution comes just weeks after Premera agreed to pay $74 million to settle a class action lawsuit stemming from the same security incident. State attorneys general accused the not-for-profit health organization of failing to meet its obligations under the Health Insurance Portability and Accountability Act, as well as violating various state consumer protection laws.

“Premera had an obligation to safeguard the privacy of millions of Washingtonians — and failed,” Washington State Attorney General Bob Ferguson said in a statement. “As a result, millions had their sensitive information exposed. Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers’ sensitive health information was at risk.”

Premera, based in the Seattle suburbs, has said it takes protecting customers’ security seriously.