What Lessons Can We Learn from Premera’s $10 Million Fine for Failing to Protect its Members’ Privacy?
Premera is one of the largest healthcare benefits companies in the Pacific Northwest and is part of the national Blue Cross Blue Shield Association. Premera is a Seattle-based organization. For those of you who haven’t heard of Premera Blue Cross’ multi-state data breach lawsuit, here are some highlights.
In 2014, the federal auditors from the U.S. Office of Personnel Management (OPM) did a routine audit and submitted the audit findings to Premera on April 18, 2014 warning them that their network security was insufficient. Three weeks later Premera was hacked and Personally Identifiable Information (PII) of 10.4 million people nationwide was exposed. More than 6.4 million of them from Washington State. According to The Seattle Times story published on March 18, 2015 Feds warned Premera about security flaws before breach, “Officials gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers and expose sensitive information. Premera received the audit findings April 18 last year, according to federal records.” Among other things, federal auditors conducted vulnerability scans and discovered that Premera wasn’t doing what a normal company does. Despite being a huge multi-state healthcare organization, they were ignoring the critical patches and software updates that are necessary to protect the company’s network.
The Settlement
Earlier this month (July 11, 2019) Premera agreed to paying a $10 million penalty. Here’s a copy of the Consent Decree. At least 10.4 million people were affected by the data breach. More than 6.4 million people from Washington State and 4 million people from 29 other states. Premera agreed to pay $5.4 million to Washington State and about $4.6 million to the coalition of other 29 states. Attorney Generals from the following states were involved in this case:
Washington, Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah and Vermont.
Washington State’s Attorney General Bob Ferguson who led the investigation said that Premera was sloppy with its security. “If someone hacks into my consumer protection division, they can’t hack into our financial part of our operation. They are segregated. Premera didn’t work that way. When this hacker got in, they were in.” (King5.com) In the press release Attorney General Ferguson said that “Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers’ sensitive health information was at risk.”
In addition to paying the $10 million fine, Premera will be spending $42 million on enhancing its own information security program over the next three years.
Premera’s Inadequate Response to Security Warnings
As I mentioned earlier, the federal auditors warned Premera that if they don’t fix the security holes they can get hacked and sensitive information of its members could be exposed. That’s exactly what happened. According to The Seattle Times, Premera had received the audit findings on April 18, 2014, yet Premera didn’t respond to the findings until June 30, 2014……almost 10 weeks after it found out about the vulnerabilities that could be exploited by the hackers. Premera said at that time that it has made some changes and will take care of the rest by the end of 2014. The hackers had already breached Premera’s network in May 2014, a few weeks after auditors warned Premera on April 18, 2014 of its inadequate network security. Premera didn’t discover the hack for almost a year.
For almost 10 weeks, Premera did not respond to the warnings from the federal auditors, which included 10 recommendations to fix the vulnerabilities in Premera’s network. Three weeks after the warning Premera was hacked in one of the largest healthcare data breaches in history. |
Lessons to be Learned From Premera’s Breach
In addition to the OPM auditors, the Federal Bureau of Investigation (FBI) also warned Premera about the increased risk of attack. Premera didn’t take enough precautionary measures and as a result 10.4 million innocent people became a victim of a major security breach. The hacker got access to private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.
Premera made several mistakes before, during, and after the hack. Premera is a good example of how not to run a business. There are several lessons to be learned from Premera’s data breach by avoiding the mistakes made by Premera. Here are some of the major mistakes, not necessarily in any particular order, that we can all learn from.
MISTAKE #1: Violating HIPAA Regulation
HIPAA requires that Premera provide a privacy notice to its customers. In the privacy notice, Premera promises that it will keep the customer’s sensitive information secure and protect unauthorized disclosure. In the class action lawsuit, the plaintiffs stated that “In addition to its implied statutory obligation, Premera expressly promises—throughout its Notice of Privacy Practices, Code of Conduct, public statements, and other written assurances—to safeguard and protect Sensitive Information in accordance with HIPAA regulations, federal, state and local laws, and industry standards.” The plaintiff claimed that Premera failed to protect the consumer data in its protection, it failed to disclose its security inadequacies, and it failed to tell its customers for months that their sensitive data was compromised. Because of Premera’s unlawful acts, the plaintiffs decided to file the class action lawsuit against Premera. Not following the HIPAA regulations and failing to protect the customer data was a big mistake. Being warned by the federal auditors, FBI, and its own employees about the potential exposure of sensitive data and repeatedly ignoring them is simply inexcusable.
Here’s what Premera’s Privacy Policy states:
“We are required by law to:
protect the privacy of your personal information; provide this Notice explaining our duties and privacy practices regarding your personal information; notify you following a breach of your unsecured personal information; and abide by the terms of this Notice.”
Premera has been blamed for violating its own privacy policy, violating the HIPAA regulation, and failing to meets its obligation under the Washington’s Consumer Protection Act. Premera is required by law to:
- Protect the privacy of customers’ personal information – Premera failed to do so by ignoring warnings from their own employees and cybersecurity experts!
- Notify customers following a breach of their unsecured personal information – Premera kept the breach secret from its customers for months!
- Abide by the terms of the Notice – Premera did not abide by ALL the terms of the notice!
- Customers have to accept the Terms and Conditions when they create an online account. In those terms, Premera assures its customers that “Premera.com takes precautions to protect users’ personal information both online and offline” and “We take steps to secure our buildings and electronic systems from unauthorized access.” – Premera did not protect the personal information as promised!
Ignoring the warnings from experts, misleading public statements, cover up, violation of its own privacy policy and HIPAA regulation are all bad practices. Premera has set a new low standard in the healthcare industry that will be hard to beat. |
MISTAKE #2: Ignoring FBI and OPM’s Warnings
The Seattle Times reported that Premera had received the audit findings on April 18, 2014 and they didn’t respond to the findings until June 30, 2014. That’s almost 10 weeks. If they would have taken the security warnings from FBI and OPM seriously, millions of people wouldn’t have to suffer. Some may have to suffer the consequences of Premera’s negligence for the rest of their lives, if their identity is stolen.
MISTAKE #3: Putting Security Fixes on the Back-burner
Rather than plugging the security holes right away in April, The Seattle Times reported that Premera made a few changes and decided to take care of the rest by the end of the year. Most companies would take their security vulnerabilities a little more seriously than that. They won’t wait for eight months to fix all the security holes, they are more likely to fix them in eight days by working 24×7. At the end, this behavior proved to be very costly for Premera.
MISTAKE #4: Covering Up the Cybercrime
Premera misled the public. Attorney General Ferguson stated in the press release that:
After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.
As you know, it’s not always the crime that gets the companies in trouble, it’s often the cover up. The fourth mistake Premera made was they covered up the data breach. They decided not to tell their customers about the hack for months, which was a huge mistake. As a result of Premera’s negligence, hackers stole personal information of millions of Premera’s customers. The coverup made the bad situation worse because it gave hackers even more time to steal additional data. The plaintiffs alleged in their lawsuit that they “suffered various consequences of identity theft as a result, including fraudulent tax returns, false credit card transactions, and the denial of credit to refinance a home.” A lot of these customers could have avoided these injuries had Premera not covered up cyberattack from its customers because they could have taken steps to freeze their credit and protect their identity.
MISTAKE #5 Hiring a Security Firm After the Hack, Rather Than Before
After the hack, Premera decided it would be a good idea that they hire a cybersecurity firm to strengthen their security systems. Common sense dictates that this action should have been taken before the hack, not afterwards. Not hiring a CISO or enhancing their information system program was yet another mistake by Premera. The total amount of the settlement is $74 million. Premera has to spend $32 million for two years of credit monitoring service, cash payments, identity protection service, attorneys’ fees, and administration costs. The remaining $42 million will be spent on improving its information security program for the next three years.
Premera’s disaster should be an eye-opener not only for healthcare providers, but for all businesses. Unfortunately, many organizations do not prioritize security. Unless they make security a top priority, it’s only a matter of time before they’ll get hacked. Isn’t it smarter to pay a small amount upfront to enhance your information security posture, rather than pay a whole lot more later?
Were you a victim of Premera’s data breach? Are you still Premera’s customer despite the hack? Are you confident your current healthcare provider is doing enough to keep your private information secure?
Thanks for reading my article. If you are interested in IT training & consulting services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. |
Copyright © 2019 SeattlePro Enterprises, LLC. All rights reserved.