In March 2020, a federal judge approved a $74 million settlement to resolve lawsuits against Premera Blue Cross over a massive data breach that exposed personal information for approximately 9 million subscribers and employees. The settlement represents one of the largest healthcare data breach resolutions and requires Premera to invest $42 million in security improvements while dedicating $32 million specifically for credit monitoring and identity protection services. For example, a Premera member who worked for the company and had their Social Security number, health records, and banking information compromised became eligible to claim compensation through this settlement—with the opportunity to recover up to $10,000 if they documented out-of-pocket losses tied directly to the breach.
The settlement was not Premera’s only consequence from the breach. In addition to the $74 million class action settlement, the U.S. Department of Health and Human Services (HHS) imposed a separate $6.85 million HIPAA fine, making this one of the largest healthcare privacy penalties in federal history. The breach itself began on May 5, 2014, when hackers sent a phishing email to a Premera employee using a spoofed domain that closely mimicked the company’s actual email address—replacing an “e” with an “r” to create “@premrera.com.” This single email opened the door to a years-long data compromise that went undetected until January 2015.
Table of Contents
- How Did the Premera Blue Cross Data Breach Happen and What Information Was Compromised?
- What Compensation Was Available to Class Members Under the Settlement?
- What Data Security Improvements Did Premera Have to Implement?
- How Could Class Members File a Claim and Receive Payment?
- What Were the Limitations and Potential Drawbacks of the Settlement for Class Members?
- How Did the Premera Settlement Compare to Other Healthcare Data Breaches?
- What Did the Premera Settlement Mean for Healthcare Privacy Going Forward?
- Conclusion
How Did the Premera Blue Cross Data Breach Happen and What Information Was Compromised?
The Premera breach was a masterclass in how sophisticated cybercriminals can exploit human error at scale. The attack began with a spoofed email designed to deceive an employee into believing it came from within Premera itself. The slightly misspelled domain “@premrera.com” was close enough to the legitimate “@premera.com” address that it passed casual inspection, yet different enough that security systems at the time often failed to catch it.
Once an employee clicked the link and entered their credentials, attackers gained access to Premera’s systems and spent months moving laterally through the company’s network, gradually escalating privileges and copying sensitive data. The compromised data included names, Social Security numbers, birth dates, health insurance information, bank account numbers, and in some cases medical claims information and clinical results. Unlike other breaches that affect a single type of customer, this one exposed both Premera Blue Cross subscribers and the company’s own employees—approximately 9 million people in total. The size and scope of the breach meant that class members faced years of potential identity theft risk, even after the company detected and shut down the unauthorized access in January 2015.
What Compensation Was Available to Class Members Under the Settlement?
The $74 million settlement was divided into two main components, reflecting different aspects of the harm caused by the breach. The settlement provided $42 million earmarked specifically for Premera to implement enhanced data security measures—essentially forcing the company to invest in preventing future breaches rather than writing a check that would disappear into the corporate budget. The remaining $32 million was allocated directly to class member compensation and credit monitoring services, with the intention that this money would actually reach the people whose data was compromised. Class members could file claims under two pathways.
Those who had documented out-of-pocket losses directly traceable to the breach—such as fraudulent charges on credit cards, identity theft recovery costs, or time spent monitoring their credit—could claim up to $10,000. However, this required submitting evidence of their losses, such as credit card statements, police reports, or receipts for credit monitoring services. The second option, and the one most class members took advantage of, was the general claim of $50 per eligible class member with no documentation required. While $50 might seem modest, the settlement also included two additional years of credit monitoring and identity protection services that would have cost hundreds of dollars if purchased separately on the open market.
What Data Security Improvements Did Premera Have to Implement?
As part of the settlement, Premera was required to maintain a minimum annual spending level of $14 million per year on cybersecurity measures for three consecutive years—a substantial investment that went far beyond typical corporate data security budgets. But the settlement didn’t just mandate a dollar amount; it specified exactly what types of security improvements were needed. Premera had to implement encryption for all sensitive data, including names, Social Security numbers, and financial information. The company was also required to deploy two-factor authentication for all remote access to critical systems—a basic security practice that, if implemented in 2014, likely would have prevented the initial breach.
Additionally, Premera was mandated to conduct annual third-party IT security audits to verify compliance with these new requirements. These weren’t internal audits conducted by the company’s own security team—they had to be performed by independent security firms to ensure actual accountability. The settlement also required Premera to establish a process for employees to report cybersecurity concerns without fear of retaliation. While these improvements sound routine by today’s standards, they represented a major security overhaul for a healthcare company that had fundamentally underestimated the sophistication and persistence of modern cybercriminals. The fact that such basic protections had to be court-ordered illustrates how vulnerable many large organizations were to breaches in the mid-2010s.
How Could Class Members File a Claim and Receive Payment?
The claims process for the Premera settlement operated through a claims administrator, meaning eligible class members didn’t have to negotiate directly with Premera’s lawyers or the company itself. Claimants could submit claims online, by mail, or in some cases by telephone, making the process accessible even to elderly subscribers who were less comfortable with digital submissions. For those claiming the $50 general claim amount, the process was straightforward—simply verify membership in the class and submit basic information.
The claims administrator then processed the claim and issued payment, either by check or direct deposit. For claimants seeking the higher $10,000 recovery for documented losses, the process required more diligence. Class members had to submit evidence of their losses, which typically included credit card statements showing fraudulent charges, identity theft investigation letters from law enforcement, bank statements showing unauthorized transactions, or receipts from credit monitoring services they had purchased to protect themselves after learning about the breach. The settlement also provided that individuals whose information was compromised but who didn’t suffer quantifiable losses could still benefit from the credit monitoring services included in the settlement, which provided real protection even if no monetary payment was available.
What Were the Limitations and Potential Drawbacks of the Settlement for Class Members?
One significant limitation of the settlement was the claims deadline. While the settlement provided for compensation, it did so only during a defined claims period—class members who missed the deadline had no way to recover compensation. Additionally, the $50 general claim amount was deliberately modest; while this reduced the amount Premera had to pay overall, it also meant that class members with significant documented losses often ended up receiving less than they had actually spent recovering from the breach. For example, someone who spent $3,000 on identity theft protection services and legal fees to clear their credit record could only recover $10,000 maximum, which may not have fully compensated them for their expenses and stress.
Another practical limitation was that not all class members received equal treatment. Premera employees faced unique risks because they had access to more sensitive information within the company’s systems, but the settlement treated employee class members the same as regular subscribers. There was also the question of whether $42 million in forced security spending actually prevented future breaches at Premera or merely brought the company up to industry standards it should have met years earlier. The settlement was approved in March 2020, but many of the security improvements took years to fully implement, meaning there was an extended period where Premera’s systems were still catching up.
How Did the Premera Settlement Compare to Other Healthcare Data Breaches?
The Premera settlement was significant, but it wasn’t the largest healthcare data breach settlement in American history. However, it was among the largest of its era, and it set important precedent for holding healthcare companies accountable for massive exposures of patient data. The $6.85 million HHS HIPAA fine that accompanied the settlement was, at the time, one of the largest penalties the government had imposed for a healthcare privacy violation. The dual nature of the penalty—both a substantial class action settlement and a federal fine—sent a clear message that data breach negligence would be punished from multiple angles.
What made the Premera case particularly instructive was its origin: a simple phishing email exploiting a single misspelled domain. This wasn’t a sophisticated zero-day exploit or a break-in by state-sponsored hackers. It was social engineering at its most basic. Yet it led to a compromise that went undetected for nearly a year and exposed 9 million people. The settlement reflected a growing recognition in the 2010s that healthcare companies, despite handling some of the most sensitive personal information in existence, often operated with security practices that wouldn’t meet the standards expected in the financial industry.
What Did the Premera Settlement Mean for Healthcare Privacy Going Forward?
The Premera settlement occurred at an inflection point in healthcare cybersecurity. By 2020, when the settlement was approved, the healthcare industry was under increasing pressure to modernize its security practices, spurred partly by high-profile breaches and the settlements they generated. The requirement that Premera spend $14 million annually on security demonstrated that court-ordered remedies could force meaningful compliance, even if the underlying motive was liability rather than genuine commitment to privacy protection.
The case also influenced how healthcare companies negotiated insurance and approached data breach response in the years that followed. Insurers began demanding more rigorous security requirements before providing cyber liability coverage. The Premera settlement became a reference point in breach litigation, showing both that healthcare companies faced real financial consequences for negligence and that class members could potentially recover compensation. For individual subscribers and employees affected by the breach, the settlement provided both material relief through credit monitoring services and a degree of justice through the acknowledgment that their data had been mishandled.
Conclusion
The Premera Blue Cross $74 million data breach settlement represented a significant accountability moment in the history of healthcare privacy. Class members affected by the breach could recover up to $10,000 for documented losses or receive a $50 general claim, along with two years of credit monitoring and identity protection services. Beyond the compensation to individuals, the settlement required Premera to invest $42 million in security improvements and maintain annual security spending of at least $14 million for three years—a practical acknowledgment that companies must invest in prevention, not just litigation settlement.
If you were a Premera subscriber or employee during the breach period and have not yet filed a claim, it is critical to verify whether the claims period for this settlement is still open or whether it has closed. Breach-related claims are subject to specific deadlines, and missing the window means missing your opportunity for compensation. Review the settlement details carefully, gather any documentation of losses you incurred, and file your claim through the designated claims administrator. The experience of the Premera breach and its settlement underscores the importance of monitoring your credit and financial accounts continuously after a major data breach notification—protection that you should take advantage of even after settlement processes conclude.