Premera Blue Cross is facing five class-action lawsuits and continuing questions from top officials since the health insurer disclosed a major data breach last week.
The suits, filed in U.S. District Court in Seattle on behalf of Premera customers from Washington, Nevada and Massachusetts, make similar complaints: that Premera was negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner.
The complaints say Premera should be held financially responsible for any losses customers suffer, as well as award damages and restitution, immediately notify each person whose information was compromised and prevent breaches from happening in the future, according to documents filed with the court.
“Right now everyone is operating in the dark about what information has been taken and who might have taken it,” said attorney Darrell Cochran, of Pfau Cochran Vertetis Amala, in Tacoma. He is representing two Bonney Lake residents who have health insurance through Premera.
Meanwhile, in a reply to a letter last week from Sen. Patty Murray, Premera CEO Jeffrey Roe defended the company’s response to the breach and said it is not yet clear how the malware entered its system.
However, Roe’s letter went on to say, once the attackers were in the network, they were able to access login credentials, allowing them to gain broader access to Premera’s computer network.
Premera, based in Mountlake Terrace, said March 17 that about 11 million current and former customers may have been victims of the cyberattack, which was discovered on Jan. 29. The company said the breach initially took place eight months earlier, on May 5, 2014.
After news of the breach, which could affect more than 6 million current and former Washington policy holders, Murray and Washington state Insurance Commissioner Mike Kreidler both launched investigations into Premera, the largest health-insurance provider in the state based on enrollment.
Both were particularly concerned about the delay in informing customers about the breach.
In Premera’s response to Murray’s letter, CEO Roe reiterated the reason for the delay — the company waited to inform the public until after its information-technology systems were secure. He said that decision was based on advice from Mandiant, a consultant it had hired on computer-security issues.
For her part, Murray said by email that she was still “seriously concerned about the pace of notification, as well as how impacted families and businesses are being informed and assisted.” She said she would “continue monitoring progress closely to make sure all those affected by this breach in Washington state and across the country get the support they need.”
Premera said the data that may have been involved in the breach date as far back as 2002 and include names, dates of birth, Social Security numbers, addresses, bank-account information and claim information, including clinical information.
The data involve current and former customers of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, Vivacity, Connexion Insurance Solutions, and Premera’s LifeWise affiliates in Washington, Oregon and Arizona, as well as LifeWise Assurance.
The lawsuits argue Premera violated the Health Insurance Portability and Accountability Act (HIPAA), as well as the insurer’s own privacy policies, by allowing the data to be accessed. In doing so, the suits say, the company has put customers at risk of identity theft, bank fraud, tax fraud and medical-identity fraud.
Eric Earling, vice president of corporate communications at Premera, said the company had no comment about the suits.
But he said the company “expected litigation on this issue.”
In disclosing the breach, Premera has said there is no evidence information was taken from its system or used. CEO Roe said in his response to Murray that the uncertainty is the reason the company is offering two years of free credit monitoring and identity-theft-protection services.
Still, security experts say customers should be concerned.
David Kennedy, an expert in health-care security and CEO of TrustedSEC, said that while Premera’s offer of free monitoring is a good step, identity theft could happen “tomorrow or five years from now.”
“A year or two might not do any good,” he said.
He noted the Premera breach is particularly concerning, more so than the even bigger Anthem insurance breach disclosed in February. He said medical data involved in stealing a person’s identity may be a recipe for people looking to have a medical procedure performed, racking up significant charges.
The lawsuits also suggest the breach could have been prevented. Three weeks before the hack, federal auditors warned Premera its network-security procedures were inadequate.
The U.S. Office of Personnel Management gave 10 recommendations for Premera to fix problems, saying some of the vulnerabilities could be exploited by hackers, exposing sensitive information.
Premera received the audit findings April 18 last year, according to federal records.
Premera’s Roe told Murray last week that Mandiant found no evidence the cyberattack was related to any of the items identified in the audit.