In re Premera Blue Cross Customer Data Security Breach Litigation, 2019 WL 3410382 (D. Or. 2019)
A court has preliminarily approved a $74 million settlement in a class action lawsuit filed by individuals affected by a large data breach at Premera Blue Cross (see our Checkpoint article). The breach, which was discovered in January 2015 and had gone undetected for nearly a year, compromised sensitive information of approximately 11 million members and employees, including names, dates of birth, Social Security numbers, member ID numbers, contact information, medical claims information, financial information, and other protected health information. An initial lawsuit in 2015 alleged that Premera was negligent in its data security practices; failed to honor the promises of confidentiality in its HIPAA privacy notice; and actively and fraudulently concealed the breach for several months before taking remedial action and notifying those affected. The trial court dismissed most of those claims (see our Checkpoint article),and also partially granted Premera’s motion to dismiss an amended complaint, but other claims survived.
While a motion of class certification was pending, the parties engaged in mediation and proposed a settlement. Under the settlement agreement, which resolves the lawsuit with no admission of liability, Premera will pay $32 million to a fund that will pay the costs of recovery to class members, attorney’s fees, and costs. Costs of recovery include reimbursement of proven out-of-pocket damages traceable to the breach; fixed payments to class members unable to prove out-of-pocket damages; and two years of credit monitoring and insurance services. Premera will also pay $42 million toward improved data security over the next three years. The court granted preliminary approval of the proposed settlement, finding it fair, reasonable, and adequate based on the case against Premera and the cost of continued litigation.
EBIA Comment: Although OCR resolution agreements tend to grab the HIPAA headlines, this case, like the Anthem settlement that was also discovered in January 2015 (see our Checkpoint article), provides a reminder that breaches have significant and far-reaching financial consequences. Although HIPAA lacks a direct private right of action, HIPAA failures may form the basis for claims under other laws. And breaches also can create negative publicity and harm employee relations. Having an incident response plan in place before a breach happens can help reduce cost, uncertainty, and disruption. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXI.D.3 (“Litigation Based on State-Law Claims”), XXV.H (“Guide to Planning for Breach Notification”), and XXX (“Core Security Requirements”). You may also be interested in our webinar Nuts and Bolts of HIPAA Uses and Disclosures (recorded on 7/25/19).
Contributing Editors: EBIA Staff.
