RALEIGH -- Attorney General Josh Stein  and other attorneys general reached a $10 million multistate settlement with health insurance company Premera over its failure to secure sensitive consumer data, which exposed the personal and protected health information of more than 10.4 million consumers to a hacker for almost a year.

“Premera’s failure to address known vulnerabilities in its security practices gave a hacker easy access to millions of people’s personal information and health details,” said Attorney General Josh Stein. “Businesses have to do better safeguarding consumer and patient data. My office will continue to hold them accountable if they fail to do so.”

From May 5, 2014, until March 6, 2015, a hacker had unauthorized access to the Premera network and consumers’ sensitive personal information, including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers, and email addresses. The hacker took advantage of multiple known weaknesses in Premera’s data security – cybersecurity experts and the company’s auditors had warned Premera about these inadequacies, but the company failed to sufficiently address them.

In their complaint, the coalition of 30 attorneys general assert that the company failed to meet its obligations to safeguard information and protect data under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated North Carolina’s law against unfair and deceptive trade practices. Premera also misled consumers about its privacy practices after the breach became public, telling consumers there was “no reason to believe that any of your information was accessed or misused,” and claiming that, “there were already significant security measures in place to protect your information.”

Under the settlement, Premera will pay $10 million to the states, implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the attorneys general, and hire a chief information security officer to maintain data security.

Attorney General Stein is joined in today’s multistate settlement by the Attorneys General of Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont, and Washington.