U.S. District Judge Michael H. Simon of Portland found the agreement fair, reasonable and adequate, considering the strength of the case against the insurance company and the anticipated expense and duration of continued litigation.
Under the deal, Washington-based Premera Blue Cross, the largest health insurer in the Pacific Northwest, would pay up to $10,000 to each class member who can show proven out-of-docket damages traced to the data breach and $50 to any class member who submits a claim.
The damages fund also would cover two years of credit monitoring and insurance services for those affected, administrative costs and attorneys’ fees.
The settlement was reached after months of negotiations before retired judges and insurance legal experts with 1.5 million pages of documents examined. Forty-two separate suits against Premera in all 50 states -- with a higher concentration of plaintiffs in Oregon, Washington and California -- were consolidated and assigned to Simon.
“This kind of private information was not just personal identifiable information, such as a social security number or dates of birth. This also included personal health information. That’s pretty private stuff,’’ said Kim D. Stephens, a Seattle-based lawyer who was the lead attorney for the plaintiffs. “We argued that people’s health care information has an inherent value, and I think the court agreed.’’
The data breach began when hackers sent a phishing email on May 5, 2014, to a Premera employee, purporting to be from Premera IT, but using an incorrect email address that read, “@premrera.com.’’ The email provided a link to download a document, and the employee clicked that link, which contained malware that allowed the hackers to access Premera’s server. The breach went undetected for eight months.
A cybersecurity consulting firm hired by Premera attributed the breach to hackers who were agents associated with the Chinese government, according to court records.
According to the firm Mandiant, “state-sponsored groups target and steal’’ sensitive information to help in their espionage and sometimes for financial profit. Some China-based threat groups operate on contract and are particularly interested in information from healthcare companies because their “records are often worth more money in underground markets than stolen credit card numbers’’ for mounting more sophisticated financial crimes, according to the firm.
Both internal and outside audits of Premera Blue Cross highlighted deficiencies and high risks in its information technology security systems from at least 2011. Internal audits in 2013 and 2014, for instance, identified “persistent significant deficiencies,’’ particularly in the company’s ability to identify any unauthorized access to its critical networks and failure to monitor its most sensitive healthcare information, according to the judge’s order.
“From 2007 through 2014, Premera invested well below the healthcare industry average in security, when analyzed as a percentage of IT spending,’’ the judge wrote in his 58-page ruling. “IT management personnel would request funding for security-related items, which ‘often’ would be denied, or would be funded significantly below the requested amount.’’
After the data breach, customers reported fraudulent tax filings, unauthorized bank charges and medical charges for unrecognized services and prescriptions, according to court records.
Under the settlement, Premera agreed to overhaul its information security program by encrypting certain personal data, strengthening specific data security controls and increasing network monitoring. The insurer also is required to perform annual third-party vendor audits, add stronger passwords, reduce employee access to sensitive data and enhance its email security.
Mark Gregory, Premera’s executive vice president and chief information officer, said in a statement, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was potentially accessed during the cyberattack. Premera takes the security of its data and the personal information of its customers seriously and has worked closely with state and federal regulators and their information security experts.’’
Stephens, attorney for the plaintiffs, called the negotiations "a very long and arduous process.''
"We feel this is a very good resolution for the class,'' he said.
A third-party claims administrator now will send out notices to members of the class-action suit to instruct them to file claims for pay by March 30. A final fairness hearing before Simon will be held March 2.
©2019 The Oregonian (Portland, Ore.). Distributed by Tribune Content Agency, LLC.