States ready market conduct exam after Premera breach

Washington is leading a multi-state examination of Premera Blue Cross in response to the recent cyberattack that affected 11 million customers.

Exposed information included names, dates of birth, addresses, Social Security numbers, bank account information and more. Insurance Commissioner Mike Kreidler announced the launch of a multi-state market conduct examination of Washington-based Premera Blue Cross (Premera) today.

Alaska and Oregon will join in the market conduct exam, according to a release citing Washington Insurance Commissioner Mike Kreidler. “We take the recent cyberattack at Premera very seriously,” said Kreidler. “Insurance regulators across the country are on high alert given the recent breaches both at Premera and Anthem and we will use every resource within our authority to ensure that consumers are protected and to see that insurers are responding appropriately.”

Market conduct exams involve multiple states and are on-site reviews of an insurer’s financial books, records, transactions and how they relate to a company’s activities in the marketplace.

The exact scope of Premera’s exam is still under discussion but may include the following:

• All cybersecurity aspects of the breach;
• Premera’s response to the breach and any corrective actions it has taken; and
• The financial impact of the breach on consumers, providers and Premera.

The participating states will contract with a cybersecurity firm to help examine the following:

• When and how the data was breached;
• Whether or not it stopped and if so, when;
• What data was compromised;
• How the attack was able to succeed; and
• Whether the company has taken effective steps to prevent a future attack.

The final market conduct report will be made available to the public. No date exists yet for completion of the exam. Depending on the complexity, exams can take several months to more than a year to complete.

“I remain seriously concerned at the amount of time it took Premera to notify its policyholders of the breach," said Kreidler. “When you buy and use your insurance, you share your personal information with the company and you expect it to be protected during those transactions. When that trust is broken, it’s our job to make sure consumers are protected and that companies are held responsible.”