Excellus Blue Cross Blue Shield has agreed to settle a class action lawsuit filed in response to the data breach it experienced in 2015 that affected more than 9.3 million of its health plan members.
Hackers gained access to the Excellus network on or before December 23, 2013, installed malware, and conducted activities that resulted in the impermissible disclosure of plan members’ protected health information. The unauthorized access was prevented on May 11, 2015, although the incident was not detected by Excellus until August 5, 2015.
In January 2021, the HHS’ Office for Civil Rights announced a settlement had been reached to resolve violations of the HIPAA Rules that it discovered when investigating the breach. Excellus agreed to pay OCR $5.1 million in penalties and adopt a corrective action plan to address the alleged non-compliance issues identified by OCR.
A class action lawsuit was filed against Excellus after notifications were issued to affected individuals, which alleged several failures in relation to the cyberattack and data breach, including the failure to protect the sensitive data of its health plan members, an unacceptable delay in issuing notification letters, and the failure to provide affected individuals with adequate information about the data breach to allow them to take action to protect themselves against identity theft and fraud.
Excellus, its companies, and the Blue Cross Blue Shield Association deny any wrongdoing in relation to the cyberattack, data breach, and breach response, and maintain no court has established any wrongdoing. The settlement covers all individuals who are listed by Excellus as impacted individuals, and whose personally identifiable information (PII) or protected health information (PHI) resides in Excellus’s systems.
The settlement covers injunctive relief which will ensure the defendants maintain a minimum level of commitment and investment in security and information technology and change their business practices related to the safeguarding of the PHI and PII of insureds. The settlement covers the 3 years from the date the settlement agreement is finalized, or for two years after each of the requirements of the settlement has been implemented.
The settlement agreement covers Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and Blue Cross Blue Shield Association.
The requirements of the settlement cover::
- Information Security Budget – Excellus must increase and maintain a minimum information security budget, with any unspent or unallocated amounts rolled over to the following year and must be spent on information security.
- Document Destruction Mechanism – Excellus will develop a strategy and engage vendor(s) as appropriate within 12 months to ensure records containing PII or PHI are disposed of within one year of the original retention period, and will make good faith efforts to effectuate the enforcement mechanism and will report on this progress within 24 months of the settlement being finalized.
- Specific Security Measures – Excellus will make its network more secure and will implement processes and tools for detecting suspicious activity, authenticating users, responding to and containing security incidents, and document retention.
- Office of Civil Rights Settlement – Excellus provided Plaintiffs’ counsel with copies of all submissions to OCR as required under the terms of the January 2021 settlement and corrective action plan.
- Data Archiving Project – Excellus says it has engaged in an extensive data archiving program including databases that maintain PII and PHI.
- Annual Declaration – Provide the plaintiffs with an annual declaration attesting to its compliance with each of the items of the settlement, including the extent to which it has not been possible to comply, for the three years after the settlement is finalized.
“[Excellus] had already begun making some pretty significant changes to its security controls,” said attorney Hadley Lundback Matarazzo, co-counsel for the plaintiffs. “What this settlement would do is ensure that they continue to make business practice changes and continue to enforce changes that are made in order to better safeguard customer data going forward.”
The settlement includes payment of $4.3 million, which is broken down as $3.3 million in fees and $1 million in reimbursed expenses. The payments will cover attorneys’ fees and reasonable costs and expenses of all cases comprising the litigation. Service awards of up to $7,500 will also be paid to compensate each class representative. The settlement does not include any funds for class members, as while the lawsuit initially sought monetary damages, a class was only certified for injunctive relief.
Under the terms of the settlement, all plaintiffs and class members must release all claims for injunctive and declaratory relief against the defendants; however, the settlement does not prevent any individuals impacted by the data breach from suing Excellus or the other defendants for monetary damages.
The settlement is due to go before a judge to obtain approval, with the hearing scheduled for April 13, 2022.