BreachExchange mailing list archives
Excellus Faces Breach-Related Lawsuit
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 21 Sep 2015 18:10:41 -0600
http://www.databreachtoday.com/excellus-faces-breach-related-lawsuit-a-8539 A lawsuit seeking class action status has been filed in the aftermath of a hacker attack on Excellus BlueCross BlueShield that potentially exposed information on 10.5 million individuals. Meanwhile, an Illinois court last week reportedly dismissed five more claims in a consolidated lawsuit filed against Advocate Health and Hospitals Corp. in the wake of a 2013 breach affecting 4 million individuals. Those dismissals follow a recent ruling by an appellate court upholding the dismissal of two other lawsuits that were part of the consolidated case against Advocate (see Advocate Health Ruling: The Impact). Only one claim - for negligence - reportedly is still pending in the class action suit against Advocate, according to legal news website Law360. In the suit filed against Excellus, and its holding company, Lifetime Healthcare, in the U.S. district court for the western district of New York, plaintiffs make allegations of negligence and breach of contract agains the health plan, which disclosed a cyber-attack on Sept. 9. Breach Details Excellus said that the cyber-attack began in December 2013 but wasn't discovered until Aug. 5, 2015. The company says the breach was detected after Excellus, which is based in Rochester, N.Y., hired cybersecurity firm Mandiant to conduct a forensic assessment of the company's IT systems in the wake of multiple health insurers - including Anthem Inc.,Premera Blue Cross and CareFirst Blue Cross Blue Shield - belatedly discovering that their systems had been breached and member data stolen. Among the affected individuals in the Excellus breach are members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus, the company has said. Compromised data includes names, addresses, birthdates, Social Security numbers, health plan ID numbers, financial account information, as well as claims data and clinical information. Excellus has said the data was encrypted, however hackers gained access to administrative controls, making the encryption moot. An Excellus spokesman tells Information Security Media Group that the company does not comment on litigation. Lawsuit's Allegations The suit against Excellus alleges that the health insurer failed "to fulfill their legal duty to protect the sensitive information of their customers and those customers whose data was stored in its systems." In addition, the suit alleges that Excellus "knew about the security breach for over one month before they publicly disclosed the incident." The complaint alleges that the health insurer "breached their duty to protect and safeguard its customers' personal, health and financial information and to take reasonable steps to contain the damage caused where any such information was compromised." The case against Excellus also alleges that plaintiffs "have suffered and/or are reasonably likely to suffer theft of personal and health information; costs associated with prevention, detection, and mitigation of identity theft and/or fraud ... and damages from the unconsented exposure of personal and health information due to this breach." The suit is seeking unspecified damages, plus expenses. Uphill Battle Plaintiffs in breach class action lawsuits often face an uphill battle unless they are able to show evidence of harm. "The courts have said, 'just because your information isn't where it's supposed to be, doesn't mean you've actually been harmed,'" says privacy attorney Kirk Nahra of Washington-based law firm Wiley Rein, who is not involved in the cases. "There have been dozens, maybe hundreds of cases across the country holding that the mere potential of something in the future is not sufficient to allege the injury that is required to bring a case." Even in the Anthem breach, which affected nearly 80 million individuals, "there's no chance that 80 million people will have something bad happen, some harm done to them," he says. While most class action lawsuits filed in the wake of health data breach cases have ended up being dismissed by the courts, one rare "win" for plaintiffs was a settlement in a breach class action lawsuit against AvMed Health Plan. The $3 million settlement agreed to in 2013 by AvMed, a Florida-based health insurer, stemmed from a 2009 data breach involving the theft of two unencrypted laptop computers containing data on 1.2 million individuals (see Settlement in AvMed Breach Suit). The AvMed settlement, filed in a U.S. District Court, is considered significant because it awarded payments to individuals who were not victims of identity theft, but who paid premiums to AvMed in years leading up to the theft. Settlement documents in that case explain that awards of up to $30 each to about 460,000 individuals affected by the breach represent what AvMed should have spent on protecting data, amounting to a refund of premium overpayment. Additionally, individuals who were victims of identity theft as a result of the breach can submit claims to be reimbursed by AvMed for their monetary losses. But Nahra says the kind of argument in the AvMed case - that a portion of premiums paid by members should have gone to securing their data - might not hold up in the Excellus complaint alleging breach of contract. "It's not a particularly strong argument. Nobody buys healthcare insurance based on a percentage of their premium going to security," he says.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Excellus Faces Breach-Related Lawsuit Audrey McNeil (Sep 22)