Connecticut Attorney General William Tong. Connecticut Attorney General William Tong. Courtesy photo.

A coalition of attorneys general from 30 states, including California, Connecticut, Florida and New Jersey, reached a $10 million settlement agreement with Premera Blue Cross over its alleged failure to secure consumer data.

According to the settlement agreement, Premera's insufficient data security gave a hacker access to health and personal information of more than 10.4 million consumers nationwide.

Washington state, where Premera is headquartered, led the multistate coalition.

Under the settlement, California will get $996,000 for about 400,000 affected residents. Connecticut will receive $52,642 for about 15,000 residents, New Jersey $72,168 for about 40,000 people, and Florida about $112,000 for 97,000 Floridians whose files were breached.

New York and Texas were among the 20 states that were not part of the settlement agreement.

The data breach, officials said, occurred from May 2014 to March 2015, when a hacker breached the Premera network and had access to clients' Social Security numbers, bank account information, phone numbers and member identification numbers.

The settlement requires Premera to take several steps. Among them: ensuring its data security program protects personal health information, regularly assessing and updating its security measures, hiring a chief information security office for a separate position from the chief information officer, and holding regular meetings between that chief information security officer and the company's executive management. The company's compliance officer must also develop a process for evaluating risks, determining priorities and reviewing compliance plans.

“We are pleased to have reached an agreement with state attorneys general to resolve legal inquiries into the 2014 cyber attack on our data network,” Premera Blue Cross spokeswoman Dani Chung said in a statement Thursday. “The commitments we have agreed to are consistent with our ongoing focus on protecting personal consumer information.”

Connecticut Attorney General William Tong said the settlement requires the company to implement specific data-security controls to safeguard consumers' personal health information.

“Premera was repeatedly warned by cybersecurity experts about deficiencies in its security program, yet the company failed to fix its practices,” Tong said.

New Jersey Attorney General Gurbir Grewal suggested the agreement should prompt corporations to be vigilant against breaches.

“As today's settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers,” he said.

Grewal's office said separate class action litigation over the breach resulted in a proposed settlement in June that requires Premera Blue Cross to make $42 million in cybersecurity upgrades.