Excellus Class Action Data Breach Lawsuit Reached Settlement

Excellus Health Plan Inc., its affiliated firms, and the Blue Cross Blue Shield Association (BCBSA) have arrived at a settlement of a class-action lawsuit that was filed with regards to a cyberattack uncovered in 2015. The attack affected the protected health information (PHI) and personally identifiable information (PII) of over 10 million subscribers, members, insureds, patients, and clients.

A cybersecurity company that was employed to evaluate Excellus’s IT system discovered the cyberattack on August 5, 2015. Excellus and cybersecurity company Mandiant conducted an investigation and confirmed that hackers had initially acquired access to its networks on or prior to December 23, 2013. The proof was found that showed the hackers were active in its system up to Aug. 18, 2014, after which no footprints of activity were discovered; nevertheless, the malware was installed which allowed the attackers to access its system up to May 11, 2015. That time, something occurred that stopped the hackers from getting access to its system. Excellus took 17 months from the preliminary attack to identify the security breach.

The HHS’ Office for Civil Rights (OCR) started to investigate the data breach and found a number of potential HIPAA Rules violations, which include security problems and the impermissible disclosure of PHI. In January 2021, Excellus decided to pay $5.1 million in financial penalties to resolve the HIPAA violations and to carry out a corrective action plan to deal with the security problems and the claimed HIPAA non-compliance concerns.

The lawsuit was filed against Excellus, Lifetime Benefit Solutions Inc., Lifetime Healthcare Inc., MedAmerica Inc., Genesee Region Home Care Association Inc., the Blue Cross Blue Shield Association, and Univera Healthcare, on behalf of all people impacted by the data breach. At first, the lawsuit wanted monetary compensation and injunctive relief; but for a number of legal reasons, the court could not approve classes requesting monetary compensation, and only approved a class for injunctive relief.

The plaintiffs claimed the defendants were unable to carry out proper security measures to assure the privacy of PII and PHI, did not discover the security breach within 17 months, and at the time the breach was discovered, waited a long time to alert impacted persons and then did not give enough details regarding how victims can keep themselves from damage. The lawsuit demanded the Excellus defendants and BCBSA to alter their data security strategies with regard to PII and PHI and to spend money on data security. The Excellus defendants and BCBSA dismissed any wrongdoing and, thus far, no court has found the defendants had done anything inappropriate.

The Excellus defendants and BCBSA have consented to pay for acceptable attorneys’ charges, costs, and expenditures as authorized by the courts. The expenses consist of up to $3.3 million to take care of attorneys’ charges and the compensation of expenses of at most $1,000,000. Service awards of as much as $7,500 will likewise be given to class representatives.

Improvements will be made to company guidelines concerning the protection of PII and PHI which will include the 3 years from the final settlement or the two years following the implemented changes. The data security requirements specified in the settlement call for the Excellus defendants and BCBSA to:

  • Raise and keep a minimum data security budget
  • Create a plan and engage vendors to make sure records comprising PII or PHI are disposed of in a year from the initial retention period
  • Take action to enhance the security of its system, which include using tools for uncovering suspicious activity, authenticating users, reacting to and controlling security occurrences, and documenting storage
  • Engage in a comprehensive data archiving plan and give plaintiffs documentation verifying the extent, range, and exhaustiveness of the archiving work
  • Give the plaintiffs copies of files given to OCR that show compliance with the OCR settlement deal and corrective action plan
  • Make a yearly statement confirming compliance with every facet of the items in the settlement deal, which include the magnitude to which it was not possible to follow any of the requirements

In case the settlement is approved by the court – a hearing is slated for April 13, 2022 – all plaintiffs and class members need to let go of all claims versus the Excellus defendants and BCBSA for injunctive and declaratory relief. With the settlement, no claim against the Excellus defendants and BCBSA for monetary compensation will be released.