Standards, Regulations & Compliance

Excellus Faces Breach-Related Lawsuit

Meanwhile, More Claims Against Advocate Health Dismissed
Excellus Faces Breach-Related Lawsuit

A lawsuit seeking class action status has been filed in the aftermath of a hacker attack on Excellus BlueCross BlueShield that potentially exposed information on 10.5 million individuals.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Meanwhile, an Illinois court last week reportedly dismissed five more claims in a consolidated lawsuit filed against Advocate Health and Hospitals Corp. in the wake of a 2013 breach affecting 4 million individuals. Those dismissals follow a recent ruling by an appellate court upholding the dismissal of two other lawsuits that were part of the consolidated case against Advocate (see Advocate Health Ruling: The Impact).

Only one claim - for negligence - reportedly is still pending in the class action suit against Advocate, according to legal news website Law360.

In the suit filed against Excellus, and its holding company, Lifetime Healthcare, in the U.S. district court for the western district of New York, plaintiffs make allegations of negligence and breach of contract agains the health plan, which disclosed a cyber-attack on Sept. 9.

Breach Details

Excellus said that the cyber-attack began in December 2013 but wasn't discovered until Aug. 5, 2015. The company says the breach was detected after Excellus, which is based in Rochester, N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the company's IT systems in the wake of multiple health insurers - including Anthem Inc., Premera Blue Cross and CareFirst Blue Cross Blue Shield - belatedly discovering that their systems had been breached and member data stolen.

Among the affected individuals in the Excellus breach are members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus, the company has said. Compromised data includes names, addresses, birthdates, Social Security numbers, health plan ID numbers, financial account information, as well as claims data and clinical information. Excellus has said the data was encrypted, however hackers gained access to administrative controls, making the encryption moot.

An Excellus spokesman tells Information Security Media Group that the company does not comment on litigation.

Lawsuit's Allegations

The suit against Excellus alleges that the health insurer failed "to fulfill their legal duty to protect the sensitive information of their customers and those customers whose data was stored in its systems." In addition, the suit alleges that Excellus "knew about the security breach for over one month before they publicly disclosed the incident."

The complaint alleges that the health insurer "breached their duty to protect and safeguard its customers' personal, health and financial information and to take reasonable steps to contain the damage caused where any such information was compromised."

The case against Excellus also alleges that plaintiffs "have suffered and/or are reasonably likely to suffer theft of personal and health information; costs associated with prevention, detection, and mitigation of identity theft and/or fraud ... and damages from the unconsented exposure of personal and health information due to this breach."

The suit is seeking unspecified damages, plus expenses.

Uphill Battle

Plaintiffs in breach class action lawsuits often face an uphill battle unless they are able to show evidence of harm.

"The courts have said, 'just because your information isn't where it's supposed to be, doesn't mean you've actually been harmed,'" says privacy attorney Kirk Nahra of Washington-based law firm Wiley Rein, who is not involved in the cases. "There have been dozens, maybe hundreds of cases across the country holding that the mere potential of something in the future is not sufficient to allege the injury that is required to bring a case." Even in the Anthem breach, which affected nearly 80 million individuals, "there's no chance that 80 million people will have something bad happen, some harm done to them," he says.

Privacy attorney Adam Greene of the law firm David Wright Tremaine notes: "We continue to see that, despite the fact that a number of these cases are getting dismissed based on a lack of harm, they are not going away anytime soon. Anytime there is a large breach, plaintiffs' attorneys likely will continue to press forward with class actions seeking sympathetic judges or potential settlements, despite these cases often getting dismissed based on a lack of harm.

"Accordingly, it remains important to ensure that entities have appropriate cyber insurance that will cover class action defense, to respond to any significant breach incident with an understanding that litigation is a significant possibility, and that the question of whether there is evidence that information was actually accessed and used to harm individuals may be of paramount importance."

While most class action lawsuits filed in the wake of health data breach cases have ended up being dismissed by the courts, one rare "win" for plaintiffs was a settlement in a breach class action lawsuit against AvMed Health Plan.

The $3 million settlement agreed to in 2013 by AvMed, a Florida-based health insurer, stemmed from a 2009 data breach involving the theft of two unencrypted laptop computers containing data on 1.2 million individuals (see Settlement in AvMed Breach Suit).

The AvMed settlement, filed in a U.S. District Court, is considered significant because it awarded payments to individuals who were not victims of identity theft, but who paid premiums to AvMed in years leading up to the theft.

Settlement documents in that case explain that awards of up to $30 each to about 460,000 individuals affected by the breach represent what AvMed should have spent on protecting data, amounting to a refund of premium overpayment. Additionally, individuals who were victims of identity theft as a result of the breach can submit claims to be reimbursed by AvMed for their monetary losses.

But Nahra says the kind of argument in the AvMed case - that a portion of premiums paid by members should have gone to securing their data - might not hold up in the Excellus complaint alleging breach of contract. "It's not a particularly strong argument. Nobody buys healthcare insurance based on a percentage of their premium going to security," he says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.