Days following Premera Blue Cross’s public announcement that it had experienced a data breach affecting approximately 11 million, it has been sued five times (as of the time of this writing) in proposed class action lawsuits in federal district court in Washington. On top of that, it is facing investigations from at least three states—Washington, Alaska and Oregon, and it is rumored that insurance commissioners in other states are considering joining the investigation ranks. The Governor of Alaska has also ordered state agencies to review their security standards and those of state business associates. The Premera breach reportedly affected approximately 700,000 Alaskans, including employees of the State of Alaska. The information breached included the individuals’ names, dates of birth, Social Security numbers, email addresses, home addresses and bank account information from 2002 to 2015.

The crux of the proposed class action lawsuits is that Premera waited too long to inform customers of the breach, which may have commenced last May but was discovered in January.

Unfortunately for Premera, on April 18, 2014, just a few weeks before the initial intrusion, the Office of the Inspector General informed Premera that its security procedures were lacking following an audit. The plaintiffs’ attorneys have used this information to allege in the complaints that Premera failed to fix basic security issues and had sufficient time to do so to prevent the ongoing access to sensitive data.

We expect additional lawsuits to be filed against Premera as we have seen in other major data breach cases, and we will watch them closely and report on developments as they occur.  Stay tuned…