On Monday, Oregon federal district court judge Michael Simon preliminarily approved a $32 million settlement that would resolve multidistrict litigation against Premera Blue Cross over the health insurer’s 2015 data breach that affected an estimated 11 million customers and employees. In a 58-page order, Judge Michael H. Simon said the proposed settlement is fair, considering that the proposed class members have “several strong arguments” regarding Premera’s allegedly inadequate data security measures. The judge also noted there were multiple internal and external audits conducted that identified vulnerabilities in its system before the hack, but the company failed to address them and the breach went on for months without being detected.
“Whether Premera breached its contractual promises, was negligent, or engaged in unfair practices under Washington’s [Consumer Protection Act] with respect to Premera’s provision of data security are relatively strong claims,” the order says.
If approved, the settlement would resolve at least 42 lawsuits that were filed after the Mountlake Terrace, Washington-based health insurance provider announced in March 2015 that it exposed its database to hackers when an employee opened a phishing email and installed a bogus software update that was actually malware.
The plaintiffs claim the data breach occurred even though the U.S. Office of Personnel Management had specifically told Premera to fix vulnerabilities in April 2014 and internal and external audits by Accuvant, Verizon Business and others identified several security deficiencies multiple times.
Under the proposed deal, claimants could receive up to $10,000 to reimburse out-of-pocket expenses they incurred due to the breach, including up to 20 hours of personal time spent addressing the problem at $20 per hour. Those who don’t have expenses would receive $50 and the California victims of the hack would receive an additional $50, while all class members would receive two-year credit monitoring and insurance. The company also agreed to invest at least $42 million into bolstering its information security practices over the next three years.
A hearing on the settlement’s final approval is set for March 2.
The customers and employees are represented by Kim D. Stephens, Christopher I. Brain and Jason T. Dennett of Tousley Brain Stephens PLLC, Keith S. Dubanevich of Stoll Berne, Tina Wolfson of Ahdoot & Wolfson PC, James Pizzirusso of Hausfeld LLP, and Karen Hanson Riebel and Kate M. Baxter-Kauf of Lockridge Grindal Nauen PLLP.
The case is In re Premera Blue Cross Customer Data Security Breach Litigation, case number 3:15-md-2633, in the U.S. District Court for the District of Oregon.
This blog is intended to provide information to the general public and to practitioners about developments that may impact Oregon class actions.