A Federal District Judge issued preliminary approval to a $74 million settlement proposal to resolve a combined class action lawsuit versus Premera Blue Cross over the 10.6 million records data breach in 2014.
US District Judge Michael Simon decided that the settlement proposal was sensible, reasonable and sufficient according to the defense’s case towards Premera and the probable cost of an ongoing lawsuit.
In the proposed settlement, $32 million will be funded for the breach victims to cover damages claims, $10 million of which will compensate victims for costs sustained due to the breach. The $42 million will be employed to better the security posture of Premera over the next three years.
Improving data security is crucial for Premera. Internal and third-party audits prior to and right after the breach revealed a number of vulnerabilities. Premera had been cautioned regarding the vulnerabilities before the breach but did not do something. That lack of action made way for hackers to access its network. Additionally, it took Premera about a year to discover the compromise of its systems.
All class members will benefit from Premeraa’s improved data security. Even those who are not insured Premera or an associate Blue Cross entity will be benefitted because sensitive data remains on Premera’s servers.
A $10 million fund may not be enough to reimburse the costs resulting from the data breach of 10.6 million people. However, Judge Simon decided the amount as fair since rather few of the plaintiffs had suffered identity theft resulting from the data breach. Also, the settlement comes with $3.5 million to cover the fees for further credit monitoring services.
The lawsuit against Premera was complicated and needed a substantial amount of technical data regarding the data security protections set up. The information also covers a few years. Whether or not Premera broke its contractual promises, was negligent, or was involved in unfair strategies under Washington’s Consumer Protection Act with regard to Premera’s provision of data security, there were rather strong claims, according to Judge Simon.
The agreement settles the case without admitting liability. Besides the $74 million, Premera had to settle a multi-state lawsuit with 30 states for $10 million because of the failure to street address identified data security risks.
The HHS’ Office for Civil Rights also investigated the Premera data breach. There is yet a decision if it is appropriate to issue a financial penalty.