Excellus Faces Breach-Related Lawsuit

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/excellus-faces-breach-related-lawsuit-a-8539

A lawsuit seeking class action status has been filed in the aftermath of a
hacker attack on Excellus BlueCross BlueShield that potentially exposed
information on 10.5 million individuals.

Meanwhile, an Illinois court last week reportedly dismissed five more
claims in a consolidated lawsuit filed against Advocate Health and
Hospitals Corp. in the wake of a 2013 breach affecting 4 million
individuals. Those dismissals follow a recent ruling by an appellate court
upholding the dismissal of two other lawsuits that were part of the
consolidated case against Advocate (see Advocate Health Ruling: The Impact).

Only one claim - for negligence - reportedly is still pending in the class
action suit against Advocate, according to legal news website Law360.

In the suit filed against Excellus, and its holding company, Lifetime
Healthcare, in the U.S. district court for the western district of New
York, plaintiffs make allegations of negligence and breach of contract
agains the health plan, which disclosed a cyber-attack on Sept. 9.

Breach Details

Excellus said that the cyber-attack began in December 2013 but wasn't
discovered until Aug. 5, 2015. The company says the breach was detected
after Excellus, which is based in Rochester, N.Y., hired cybersecurity firm
Mandiant to conduct a forensic assessment of the company's IT systems in
the wake of multiple health insurers - including Anthem Inc.,Premera Blue
Cross and CareFirst Blue Cross Blue Shield - belatedly discovering that
their systems had been breached and member data stolen.

Among the affected individuals in the Excellus breach are members of other
Blue Cross Blue Shield plans who sought treatment in the 31-county upstate
New York service area of Excellus, the company has said. Compromised data
includes names, addresses, birthdates, Social Security numbers, health plan
ID numbers, financial account information, as well as claims data and
clinical information. Excellus has said the data was encrypted, however
hackers gained access to administrative controls, making the encryption
moot.

An Excellus spokesman tells Information Security Media Group that the
company does not comment on litigation.

Lawsuit's Allegations

The suit against Excellus alleges that the health insurer failed "to
fulfill their legal duty to protect the sensitive information of their
customers and those customers whose data was stored in its systems." In
addition, the suit alleges that Excellus "knew about the security breach
for over one month before they publicly disclosed the incident."

The complaint alleges that the health insurer "breached their duty to
protect and safeguard its customers' personal, health and financial
information and to take reasonable steps to contain the damage caused where
any such information was compromised."

The case against Excellus also alleges that plaintiffs "have suffered
and/or are reasonably likely to suffer theft of personal and health
information; costs associated with prevention, detection, and mitigation of
identity theft and/or fraud ... and damages from the unconsented exposure
of personal and health information due to this breach."

The suit is seeking unspecified damages, plus expenses.

Uphill Battle

Plaintiffs in breach class action lawsuits often face an uphill battle
unless they are able to show evidence of harm.

"The courts have said, 'just because your information isn't where it's
supposed to be, doesn't mean you've actually been harmed,'" says privacy
attorney Kirk Nahra of Washington-based law firm Wiley Rein, who is not
involved in the cases. "There have been dozens, maybe hundreds of cases
across the country holding that the mere potential of something in the
future is not sufficient to allege the injury that is required to bring a
case." Even in the Anthem breach, which affected nearly 80 million
individuals, "there's no chance that 80 million people will have something
bad happen, some harm done to them," he says.

While most class action lawsuits filed in the wake of health data breach
cases have ended up being dismissed by the courts, one rare "win" for
plaintiffs was a settlement in a breach class action lawsuit against AvMed
Health Plan.

The $3 million settlement agreed to in 2013 by AvMed, a Florida-based
health insurer, stemmed from a 2009 data breach involving the theft of two
unencrypted laptop computers containing data on 1.2 million individuals
(see Settlement in AvMed Breach Suit).

The AvMed settlement, filed in a U.S. District Court, is considered
significant because it awarded payments to individuals who were not victims
of identity theft, but who paid premiums to AvMed in years leading up to
the theft.

Settlement documents in that case explain that awards of up to $30 each to
about 460,000 individuals affected by the breach represent what AvMed
should have spent on protecting data, amounting to a refund of premium
overpayment. Additionally, individuals who were victims of identity theft
as a result of the breach can submit claims to be reimbursed by AvMed for
their monetary losses.

But Nahra says the kind of argument in the AvMed case - that a portion of
premiums paid by members should have gone to securing their data - might
not hold up in the Excellus complaint alleging breach of contract. "It's
not a particularly strong argument. Nobody buys healthcare insurance based
on a percentage of their premium going to security," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!