Last week, Washington Attorney General Bob Ferguson announced that the state's largest insurance provider, Premera Blue Cross, will pay $10 million in fines following an investigation into the company's data security practices.
In 2014, Premera experienced one of the largest breaches of medical data in history. For nearly a year, hackers had access to millions of customers' data, including Social Security numbers, back account information and medical records.
Premera insists there is no evidence that data was ever used by the hackers.
Ferguson nonetheless launched an investigation. He found that not only were Premera's security measures not up to part, but that "Premera repeatedly ignored both its own employees and cybersecurity experts who warned millions of consumers' sensitive health information was at risk."
Twenty-nine other affected states joined his investigation and last week the consent decree was announced.
Of the $10 million, Washington will get roughly $5.4 million. The state gets the bulk of the fine because its customers were most affected.
Premera Blue Cross is based outside Seattle.
Where does that $5.4 million go? Back to Ferguson's office.
Some of the money covers the cost of the investigation, and the rest will go toward pursuing similar investigations and enforcement of data privacy laws.
But the core purpose of the decree isn't the financial penalty. Rather, it's about imposing new security requirements on Premera.
Those requirements range from making it harder to access Premera's system to keeping closer tabs on where medical records are stored to hiring a new executive specifically for data security.
The decree leaves the question of whether the victims themselves might receive a payout.
They likely will but from another source: a separate class action lawsuit.
That suit has reached a tentative agreement, which includes Premera creating a $32 million fund for customers whose data was stolen.
That fund will go toward credit monitoring and reimbursing customers who might have lost money because of the hacks.
The settlement, however, has not yet been formally approved by the court. If it does get approved, then affected customers should be able to seek out those funds shortly afterwards.