Proposed Settlement Calls for Health Plan to Bolster SecurityLawsuit Against Excellus Filed in Wake of Hack Affecting 10.5 Million Individuals
A proposed settlement in a class action lawsuit filed against health insurer Excellus Blue Cross Blue Shield in the wake of a cyberattack that affected 10.5 million individuals calls for the company to take a series of measures to improve data security.
The proposed agreement for the New York-based health insurer to make significant improvement to its data security program in the wake of the hacking incident, which was discovered in 2015, follows a trend of similar demands in lawsuit settlements - as well as regulatory enforcement actions - involving major data breach cases at other healthcare sector organizations.
Among the largest was a $115 million settlement in the private class action lawsuit - and a $16 million enforcement action by federal regulators - against health insurer Anthem in the wake of a 2014 hacking incident affecting nearly 79 million individuals.
Each of those actions also required Anthem to make a series of improvements to its data security programs as part of settlements.
A final approval hearing for the proposed settlement in the Excellus class action lawsuit is set for April 23 in a New York federal court.
Excellus, in a statement to Information Security Media Group, says: "We’re pleased to be resolving this matter. … We’re also proud of the strides we’ve made to further protect sensitive data across our environment since the time of the attack.
"As part of the settlement, Excellus made no admission of liability and has agreed to terms for injunctive relief. The injunctive relief is focused on ensuring that the health plan maintains a certain level of commitment to, and investment in, its information technology and security practices."
Under the terms of the proposed settlement, Excellus is required to make changes or enhancements to a number of business practices related to safeguarding the protected health information and personally identifiable information of its health plan members for three years after the settlement is final, or two years after each item is fully implemented.
Settlement documents also note that Excellus, and several affiliated defendants named in the lawsuit, including its holding company, Lifetime Healthcare, and Blue Cross Blue Shield Association, deny any wrongdoing, and that "no court has made a determination that the Excellus [and other defendants] have done anything wrong."
An attorney representing the class members in the lawsuit tells ISMG that the security improvements required by Excellus under the settlement "do not overlap" with a series of corrective actions that Excellus also agreed to take under a $5.1 million HIPAA settlement the insurer signed last year with the Department of Health and Human Services' Office for Civil Rights for the same data breach (see: Excellus Health Plan Hit with $5.1 HIPAA Settlement.
Enhancements to Security
Under the proposed settlement, the changes and enhancements Excellus has agreed to make to its data security practices include:
- Increase and maintain a minimum information security budget. Any amounts not allocated in a given year will be rolled over to the subsequent year and must be spent on information security. The specific amount was not disclosed in settlement documents.
- Develop a document destruction strategy and engage vendors, as appropriate, to ensure records containing PII or PHI are disposed of within one year of the original retention period, as spelled out in Excellus' document retention policy.
- Improve network security through the implementation of tools, processes and systems for detecting suspicious activity, authenticating users, and responding to and containing security incidents.
More specific details of the required security improvements are not included in public court documents due to the potential risk their disclosure could pose, a settlement notice says.
HHS OCR Agreement
Under the proposed class action settlement, Excellus also provided plaintiffs' attorneys with copies of all submissions the company made to HHS OCR related to the health insurer's 2021 HIPAA resolution agreement and corrective action plan involving the same hacking incident.
"The claims made in the lawsuit were made much stronger due the findings of the investigation by HHS OCR, which found that [Excellus] likely failed to comply with the HIPAA Security Rule because it did not have appropriate information security safeguards in place."
—David Holtzman, HITprivacy LLC
"Excellus has engaged in an extensive data archiving program following the cybersecurity incident, including with respect to its databases that maintain PII and PHI," the proposed settlement notice says.
An attorney representing affected individuals in the class action lawsuit against Excellus tells ISMG the security enhancements the company must make under the proposed settlement are "more prescriptive" than what is contained in the HIPAA resolution agreement with HHS OCR.
No Monetary Payments
The proposed Excellus settlement does not include monetary relief for class members. That's due to the court earlier concluding that classes seeking damages could not be certified for various legal reasons, says the attorney representing the class members.
Privacy attorney David Holtzman of the consultancy HITprivacy LLC, who is not involved in the case, says that language in settlement documents between Excellus and the plaintiffs leave the issue concerning monetary damages to affected individuals open in further negotiation or future litigation.
"This agreement to partially resolve the claims in the class action lawsuit is a strategic decision for Excellus," Holtzman says.
"The claims made in the lawsuit were made much stronger due the findings of the investigation by HHS OCR, which found that the company likely failed to comply with the HIPAA Security Rule because it did not have appropriate information security safeguards in place to protect the PHI of its patients and insurance plan holders."
Federal courts have been working through many lawsuits brought by consumers who allege they have been harmed when their personal information has been disclosed without their authorization in data breaches, Holtzman says.
"Standards for how individuals demonstrate actual harm from misuse of their sensitive information or have reasonable expectation that they are at significant risk of being victimized continue to evolve on a case-by-case basis," Holtzman says.
"Any settlement - cash or cashless - that includes agreements to 'improve data security' should have teeth and shouldn’t provide entities with a 'check box' easy out."
—Steven Teppler, Sterlington PLLC
"In the Excellus case, individuals who can show their sensitive personal information was available on the dark web in a proximate time frame to the cyberattack will likely be in the strongest position to negotiate a monetary settlement as this case moves forward," Holtzman says.
Technology attorney Steven Teppler of law firm Sterlington, PLLC says that the ever-increasing volume of data breaches occurring poses potential obstacles for lawsuit plaintiffs and class members trying to show they have been harmed by a particular incident.
"Some threat actors 'age' their victim’s PII. There are - and have been - so many breaches that attribution of loss to any particular breach is more of a challenge on the proof side for plaintiffs, and provides ammunition for the defendant," he says.
This all places "a greater burden on plaintiff-victims" to keep good financial records and keep alert for anomalous activity on all their online accounts, including financial, social, entertainment and messaging, he says.
The bottom line, according to Teppler, is: "Any settlement - cash or cashless - that includes agreements to 'improve data security' should have teeth and shouldn’t provide entities with a 'check box' easy out."
"The agreement must be enforceable, the improvements auditable, and have specific metrics such as compliance with existing security standards - such as NIST - and penalties for noncompliance that do not amount to parking tickets."
Also this week, the New York attorney general disclosed a settlement with benefits provider EyeMed Vision Care following a 2020 email hacking breach that affected 2.1 million individuals, including nearly 99,000 New Yorkers.
Under that settlement, Macon, Ohio-based EyeMed agreed to pay a $600,000 fine and implement a long list of data security improvements.