District Court in Oregon approves $74 million settlement after Premera Blue Cross breach

U.S. District Court Judge Michael H. Simon issued preliminary approval on July 29 of an agreement that would require Premera Blue Cross to pay $74 million to settle a class-action lawsuit resulting from a 2015 data breach that compromised the protected health information (PHI) of more than 10.6 million people nationwide.

According to a report from The Oregonian, the settlement would involve Premera paying $32 million in damages and $42 million to improve data security. Each class member who can show proven out-of-pocket damages related to the breach would receive up to $10,000, while any class member who submits a claim would receive $50.

The breach, which began via a phishing email in May 2014, was carried out by hacking agents associated with the Chinese government, according to court documents cited by The Oregonian. It went undetected for eight months and occurred after years of internal and external audits of Premera highlighted deficiencies and high risks in its IT systems. Simon noted those vulnerabilities in his 58-page ruling in the case.

“From 2007 through 2014, Premera invested well below the healthcare industry average in security, when analyzed as a percentage of IT spending,’’ Simon wrote. “IT management personnel would request funding for security-related items, which ‘often’ would be denied, or would be funded significantly below the requested amount.”

A total of 42 separate lawsuits were filed against Premera in all 50 states and were consolidated into the one class-action suit that was assigned to Simon. A final fairness hearing in the case will be held March 2, 2020.