Premera Blue Cross, the largest health insurer in the Pacific Northwest, will pay $10.4 million to 30 states to resolve HIPAA violations.

For close to a year, a hacker accessed the Premera network to collect sensitive personal information, including health information, Social Security numbers, dates of birth and more. Starting in May 2014, the hacker created an email that appeared to be from the company’s IT department and then asked the employee to enter user credentials. Despite misspelling the company’s domain name and making other errors, the hacker persuaded the employee to take part. That allowed malware onto the network, which gave the hacker to access data for nearly 10 million people.

“In today’s day and age, hackers are going after people instead of the technology directly,” Anahi Santiago, chief information security officer at Christiana Care Health System in Wilmington, DE, told Medical Economics earlier this year. “And the breaches that happen as the result of these attacks not only give hackers access to protected patient data but also the ability to disable networks which, essentially, can disable providers and organizations from being able to effectively care for their patients.”

Premera, which is based near Seattle, will pay $5.4 million to Washington. It promised to, among other steps, implement data security controls, provide security reports to the Washington attorney general office and to review practices annually.

The health insurer also settled a class action lawsuit for $74 million earlier this year.