Premera Blue Cross is paying $10 million to 30 states following an investigation into a major data breach.
Washington Attorney General Bob Ferguson announced the settlement Thursday, several weeks after the company said it would spend $74 million to settle a federal class-action lawsuit on behalf of affected customers.
The states said the company knew about vulnerabilities in its system but failed to fix them.
During the breach, which lasted from May 2014 to March 2015, hackers had access to sensitive data on 10.4 million people — the majority of them in Washington state. Under the settlement, the company will pay $5.4 million to Washington and the rest to the other states.
Premera is also required to implement data security controls to protect personal health information.