Premera Data Breach Lawyer: Companies Must Face Consequences for Failing to Protect Identifying Information


. By Heidi Turner

When retail stores have suffered data breaches, the incidents have been big news, but data breaches at insurance companies can be even more harmful. Gary Graifman, partner at Kantrowitz Goldhamer & Graifman in charge of consumer class-action litigation, says Premera policyholders whose information was accessed in a recent data breach could be at risk of identity theft for a long period of time. Premera lawsuits have now been filed alleging, among other things, that the company was negligent in its handling of sensitive policyholder information, that it failed to follow the data breach notification laws it is subject to and that it violated consumer protection laws.

In May 2014, Premera Blue Cross was the target of a cyber attack in which the personal information of up to 11 million customers was made vulnerable. In March 2015, Premera announced the breach. However, it may have been aware of the breach as early as January 2015. Individual health information is protected under HIPAA (Health Insurance Portability and Accountability Act) laws, which also require covered organizations to provide notification following a breach of unsecured protected information. Although a separate private right to sue does not exist under HIPAA, the HIPAA Security rules may establish a uniform standard for securing private health information.

“In medical insurance data breaches, such as the Premera breach, the information compromised includes Social Security numbers, data of birth and medical information,” Graifman says. “When a big box store data breach occurs (e.g., Target), the information accessed is credit and debit card information. However, the personal information taken in a medical insurance data breach - Social Security numbers, for example - is more valuable to identity theft rings and potentially more injurious, experts say. With a breach involving theft of credit card information, the card issuer eventually cancels that credit card. With Social Security and date of birth information, identify theft thieves can obtain financial benefits, such as filing false tax returns, applying for a line of credit or taking out a mortgage. These can have very long-term effects.”

Included in the lawsuit are allegations that Premera knew about issues in its security systems before the breach but failed to upgrade its security or fix those flaws to properly protect private medical information.

“Premera was required to undergo certain audits because they provide insurance to government employees,” Graifman says. “So the OPM [Office of Personnel Management] conducted audits, found the systems were not properly secure and made suggestions for upgrades, but many of those suggestions were ignored.”

Lawsuits filed against Premera allege the company was negligent, breached its contract with policyholders and failed to alert policyholders about the data breach in a timely manner, and was in violation of state consumer protection laws and HIPAA law. According to Graifman, the lawsuits have now been consolidated for pretrial proceedings in a multidistrict litigation in Oregon before Judge Michael Simon. However, speaking with potential Premera insureds who may have been subjected to theft in the breach is still important says Graifman because cases such as this are asserted on a state-by-state basis and still require that at least one individual from every state with standing to sue make a claim under the laws of that state. “So someone from Connecticut, for example, may not be able to rely on a class representative from Oregon to bring his claim for him under Connecticut law.”

Policyholders who received a letter that their personal information may have been compromised should speak to an attorney. It’s also possible, however, that policyholders whose information was accessed were not notified if the company could not find them. Premera policyholders who have recently become victims of identity theft - including learning someone attempted to take out a mortgage, obtain credit in their name, or file a false tax return in their name - should consider contacting an attorney.

On top of the possibility of having their identity stolen, policyholders must devote significant time and energy dealing with the fallout of an identity theft. Sorting out the situation can be frustrating, and Graifman says policyholders wouldn’t have had to take these measures if companies properly secured their information.

“Some companies have not considered information security a high priority,” Graifman says.
“Only by realizing that potential liability could result from their ignoring the defects in their current system do they then become motivated to invest the money and expertise in upgrading and changing their information data security systems. That’s why these cases are important. Companies in possession of consumer personal identifying information, or PII, have to understand there will be consequences if they ignore their responsibilities to maintain that PII secure.”


Premera Blue Cross Reports Data Breach Legal Help

If you or a loved one have suffered losses in this case, please click the link below and your complaint will be sent to an internet/technology lawyer who may evaluate your Premera Blue Cross Reports Data Breach claim at no cost or obligation.

READ MORE PREMERA BLUE CROSS REPORTS DATA BREACH LEGAL NEWS