- Premera Blue Cross is being accused of destroying a key piece of evidence in the class-action lawsuit against the health insurer over a health data breach that compromised PHI on 11 million people.
Lawyers for the breach victims filed a motion Aug. 30 in the case seeking sanctions against the health insurer for “misconduct” in destroying a computer hard drive and logs that contained evidence related to the theft of data by hackers.
“By willfully destroying: (a) a computer that the hackers used in the data breach and which may have held evidence of data exfiltration; and (b) data loss prevention software logs that may have shown evidence of data exfiltration, Premera spoliated key evidence and prejudiced Plaintiffs’ ability to achieve a rightful decision in this case,” according to the motion, a copy of which was obtained by HealthITSecurity.com.
The sanctions called for include instructing the jury that because of the destruction of the computer and the logs, the jury should presume that the data exfiltration occurred; an order preventing Mandiant or any expert relying on Mandiant’s investigation from testifying that no evidence of data exfiltration was found; and an order prohibiting Premera from introducing evidence related to the destroyed computer or logs.
Back in March 2015, Premera announced that it discovered a data breach that affected 11 million people, which had occurred in May of the previous year. The information exposed included health insurance applicants' and members’ names, dates of birth, email addresses, physical addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, including clinical information.
“Individuals who do business with us and provided us with their email address, personal bank account number or Social Security number are also affected,” Premera said in a statement issued at the time. “The investigation has not determined that any such data was removed from our systems. We also have no evidence to date that such data has been used inappropriately.”
In the data breach’s aftermath, class-action lawsuits were filed in US District Court in Seattle on behalf of breach victims and subsequently consolidated into one case. The lawsuit claims that Premera was negligent, breached its contract with customers, and violated privacy laws by failing to disclose the breach in a timely manner.
The attorneys for the breach victims argued that Premera’s defense rests on its claim that no data was exfiltrated, so the victims were not harmed. “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any Plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system,” they stated.
The destruction of the computer and logs, more than a year after the lawsuits were filed, prevents the plaintiffs from disputing Premera’s claim that no data was stolen from its system.
“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network. This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose,” the attorneys wrote.
In a statement, Premera responded: “We are aware of the motion for sanctions that was recently filed by the plaintiffs in the class action arising from the 2015 cyberattack at Premera. It is the type of motion that is not uncommon in complex litigation involving voluminous physical and documentary evidence and represents just one of many disputes that can arise during the discovery phase of a lawsuit. We disagree with the motion and do not believe the facts justify the relief plaintiffs have requested. Our attorneys will be filing a response in due course.”