Excellus, BCBSA Reach Settlement Following 2015 Data Breach

January 28, 2022 - Excellus Health Plan, Blue Cross Blue Shield Association, and affiliate companies reached a tentative settlement in a class-action lawsuit stemming from a 2015 cyberattack. The data breach impacted 10.5 million individuals at the time, making it one of the largest healthcare data breaches in recent history.

The lawsuit alleged that Excellus, BCBA, and its affiliates failed to safeguard protected health information (PHI), delayed customer breach notification for too long, and did not give customers adequate information about how they could protect themselves.

According to the court documents, Excellus discovered the cyberattack on August 5, 2015, but it could have begun as early as December 2013. The attackers exfiltrated names, Social Security numbers, addresses, financial information, medical claims information, credit card numbers, birth dates, and names.

Tax documents have been filed in class members’ names, and some have experienced credit and debit card fraud, the court documents stated. In addition, the plaintiffs argued that Excellus did not provide enough information to help victims prevent fraud and identity theft.

If approved at the final hearing on April 13, 2022, the defendants will have to pay upwards of $3.3 million and up to $1 million in legal fee reimbursements. In January 2021, Excellus also settled with the Office for Civil Rights (OCR) and agreed to pay a $5.1 million civil monetary penalty to resolve alleged HIPAA failures.

Excellus denied any wrongdoing in the most recent settlement and agreed to make numerous improvements to its security programs.

“Within 12 months of the settlement becoming final, Excellus will develop a strategy, and engage vendor(s) as appropriate, to ensure Records containing PII or PHI are disposed of within one year of the original retention period as set forth in Excellus’s document retention policy,” the proposed settlement notice stated.

“Within 24 months of the settlement becoming final, Excellus will make good faith efforts to effectuate the enforcement mechanism and will report on this progress.”

In addition, Excellus will have to increase its minimum information security budget and take specific security measures to make its network more secure. The settlement did not divulge the specific tools and processes that will be implemented for security purposes.

The settlement also referenced Excellus’ agreement with OCR and will require Excellus to provide the plaintiffs’ counsel with copies of all submissions to OCR in accordance with its corrective action plan.

Excellus also agreed to engage in a data archiving program with respect to databases containing PHI and PII.

“For three years after the Settlement, Excellus will provide Plaintiffs’ counsel with an annual declaration attesting to its compliance with each of the foregoing items, and, to the extent Excellus has not complied with any of the foregoing items, an explanation of the deficiency and proposed steps to remedy the non-compliance,” the notice continued.