In May 2014, Premera Blue Cross was the target of a cyber attack in which the personal information of up to 11 million customers was made vulnerable. In March 2015, Premera announced the breach. However, it may have been aware of the breach as early as January 2015. Individual health information is protected under HIPAA (Health Insurance Portability and Accountability Act) laws, which also require covered organizations to provide notification following a breach of unsecured protected information. Although a separate private right to sue does not exist under HIPAA, the HIPAA Security rules may establish a uniform standard for securing private health information.
“In medical insurance data breaches, such as the Premera breach, the information compromised includes Social Security numbers, data of birth and medical information,” Graifman says. “When a big box store data breach occurs (e.g., Target), the information accessed is credit and debit card information. However, the personal information taken in a medical insurance data breach - Social Security numbers, for example - is more valuable to identity theft rings and potentially more injurious, experts say. With a breach involving theft of credit card information, the card issuer eventually cancels that credit card. With Social Security and date of birth information, identify theft thieves can obtain financial benefits, such as filing false tax returns, applying for a line of credit or taking out a mortgage. These can have very long-term effects.”
Included in the lawsuit are allegations that Premera knew about issues in its security systems before the breach but failed to upgrade its security or fix those flaws to properly protect private medical information.
“Premera was required to undergo certain audits because they provide insurance to government employees,” Graifman says. “So the OPM [Office of Personnel Management] conducted audits, found the systems were not properly secure and made suggestions for upgrades, but many of those suggestions were ignored.”
Lawsuits filed against Premera allege the company was negligent, breached its contract with policyholders and failed to alert policyholders about the data breach in a timely manner, and was in violation of state consumer protection laws and HIPAA law. According to Graifman, the lawsuits have now been consolidated for pretrial proceedings in a multidistrict litigation in Oregon before Judge Michael Simon. However, speaking with potential Premera insureds who may have been subjected to theft in the breach is still important says Graifman because cases such as this are asserted on a state-by-state basis and still require that at least one individual from every state with standing to sue make a claim under the laws of that state. “So someone from Connecticut, for example, may not be able to rely on a class representative from Oregon to bring his claim for him under Connecticut law.”
Policyholders who received a letter that their personal information may have been compromised should speak to an attorney. It’s also possible, however, that policyholders whose information was accessed were not notified if the company could not find them. Premera policyholders who have recently become victims of identity theft - including learning someone attempted to take out a mortgage, obtain credit in their name, or file a false tax return in their name - should consider contacting an attorney.
READ MORE PREMERA BLUE CROSS REPORTS DATA BREACH LEGAL NEWS
“Some companies have not considered information security a high priority,” Graifman says.“Only by realizing that potential liability could result from their ignoring the defects in their current system do they then become motivated to invest the money and expertise in upgrading and changing their information data security systems. That’s why these cases are important. Companies in possession of consumer personal identifying information, or PII, have to understand there will be consequences if they ignore their responsibilities to maintain that PII secure.”