A security breach at the Mountlake Terrace-based Premera has led to 38 lawsuits and continuing investigations into how the breach occurred and the consequences that may have followed.

Share story

With less than a week left to apply, about 830,000 of almost 11 million current and former insurance customers have registered for credit monitoring and identity-theft protection after their personal and medical information may have been compromised in a security breach that Premera announced in March.

Mountlake Terrace-based Premera maintains that it does not “have any evidence that there was any criminal activity on anyone’s account as a result of the cyberattack,” company spokeswoman Melanie Coon said in an email statement.

However, the company faces 38 class-action lawsuits containing reports that may argue otherwise, including stories of false tax returns, unexpected calls to verify personal information and packages received that were never ordered.

Applying for credit monitoring

Premera offered customers who were affected by a computer-security breach two years of free credit monitoring and identity-theft-protection services.

Deadline: Sept. 30

Website: Premera has set up a site dedicated to the breach: premeraupdate.com

Offer: ProtectMyID is available to adults and Family Secure for children under 18.

Application: To sign up for both, visit Premera’s website or call Experian directly: 1-888-451-6558. When enrolling over the phone you may be asked for a code. For ProtectMyID services use PC92585. For Family Secure services use PC92586.

Other help: Tips to combat identity theft can be found at premeraupdate.com/tips-combat-identity-theft. Also call Premera with any questions: 1-800-768-5817.

Source: Premera

“This is not just an inconvenience, it is a significant harm to real people,” said Darrell Cochran, a lawyer for Pfau Cochran Vertetis Amala, which represents 2,500 people impacted by the Premera breach.

Debra and Gary MacDonald are covered through Gary’s insurance with Boeing from Blue Cross Blue Shield of Illinois. When news of Premera’s hack came out in March, Debra said she wasn’t worried because the Woodinville couple are not covered by the local company.

But less than a month later, they were contacted by the Internal Revenue Service, informing them a fraudulent tax return had been filed in their names. Three weeks later, they received a letter from Premera about the breach.

Since April, when the couple realized their information was compromised — in what they can only assume was the Premera breach — they also found fraudulent credit-monitoring accounts had been set up. That information allowed someone who may have possessed their information improperly to access credit reports, credit scores and eventually old tax returns. The couple think that’s what led to the fraudulent tax return.

With her conscientious note-taking and milelong checklists of what to do in identity-theft cases, Debra MacDonald estimates she has spent 150 hours fixing the mess.

While the couple are not named in any of the 38 lawsuits filed so far, they are one of about 4,000 who have retained different firms to represent them in the case, Cochran said.

“We did not have a monetary loss, but the tangible loss is peace of mind for the rest of our lives,” she said.

The attack

Premera disclosed the attack on March 17, saying that the 11 million potential victims included 6 million current and former customers in Washington state. The breach was discovered on Jan. 29 but initially took place eight months earlier, on May 5, 2014.

The company said the attackers may have gained access to customers’ information dating as far back as 2002, including names, birth dates, Social Security numbers, addresses, bank-account information and claim information, including clinical data.

The attack affected customers of Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, Vivacity, Connection Insurance Solutions, as well as LifeWise affiliate for Washington, Oregon and Arizona and LifeWise Assurance.

Members of other Blue Cross Blue Shield plans who have sought treatment in Washington or Alaska may also have been affected, which is why the MacDonalds received a letter.

One way people who are covered through other insurance companies may have been affected is through workplace-benefits programs, such as through Vivacity, a Premera affiliate that offers employee-wellness programs.

Even if someone is not covered by Premera, their information may have been part of the breach if the individual’s employer purchased wellness programs from Vivacity, Eric Earling, vice president of corporate communications at Premera said in an interview during the summer.


The FBI is still investigating the attack and working with the company to determine the scope of the incident. Premera said it also continues to work with Mandiant, the security firm it hired to investigate the breach and help repair Premera systems.

“The privacy and security of our members’ personal information remains an important priority for Premera,” company spokeswoman Coon said.

Washington Insurance Commissioner Mike Kreidler launched a multistate investigation into the cyberattack a week after it was disclosed. He is working with his counterparts in Alaska, California, Idaho and Oregon, as well as the Washington’s Office of the Attorney General. All 50 states, plus Guam, Puerto Rico and Washington, D.C., have signed an agreement to participate in the examination.

The commissioner’s office said the first phase of the review exam will determine if there should be a fuller examination, a settlement or closure of activities, spokesman Steve Valandra said.

As a ranking member of the Senate Health, Education, Labor and Pensions Committee, Sen. Patty Murray is also watching the investigation.

She sent a letter to Premera days after the attack was disclosed, questioning the company’s failure to immediately inform current and former policy holders.

The company and the FBI have continued to be tight-lipped about the details of the breach, and the investigation is ongoing. But Murray has directed her staff to closely monitor the progress toward “remedying harm done to their” customers and to keep her informed.

Additionally, as part of a bipartisan-oversight initiative to examine the health industry’s preparedness for cyberattacks, Murray is working to explore the federal role in health-information security, instructing her staff to meet weekly with key stakeholders.

The 38 lawsuits have been consolidated in Oregon and transferred to U.S. District Judge Michael Simon. Lead counsel Kim Stephens from Tousley Brain Stephens said the multidistrict litigation panel (who decides if multiple cases can be consolidated) was worried that most of the federal judges in Washington are covered by Premera. A trial date has been tentatively set for February 2018 but could be settled or dismissed before then.

Debra MacDonald doesn’t want a big payout — just paid for her time and the day of vacation her husband used to go to the bank with her.

She said she is angry about the lack of protection around her private information, but “I imagine people who have suffered monetary losses are even more furious.”