As we discussed in our previous post, Premera Blue Cross (Premera) recently revealed that it suffered a massive data breach potentially exposing the personal data of 11 million customers. On Thursday Premera was hit with a proposed class action lawsuit in Washington federal court accusing it of negligence associated with the data breach. The suit claims that the letters notifying customers of the breach did not reach those affected within the 60 day notification period required by HIPAA, as Premera discovered the breach in January and letters may not reach all individuals affected until late April. The suit also argues that the breach came just weeks after federal auditors warned Premera of security issues.
Premera claims that the gap in time between discovery and reporting of the breach was necessary to notify and coordinate with federal law enforcement and to engage a third-party cybersecurity firm to remedy the infiltration. However, the Washington state insurance commissioner (who is involved since a large portion of Premera’s customers reside in Washington state) has criticized Premera’s delay and has stated that his office will be investigating the attack.
Proactive HIPAA compliance efforts can reduce and mitigate the risk of future losses due to HIPAA violations and breaches. This suit highlights the need for those companies handling protected health information to have appropriate procedures and policies in place to quickly react to a breach, know who is responsible for responding to a breach, engage the appropriate assistance, and promptly respond to any required notice obligations that may apply. With increased attacks on health information more suits of this sort are likely to be seen.