A settlement has been reached with Excellus Health Plan Inc., affiliate companies and Blue Cross Blue Shield Association in class action litigation involving a cyberattack that led to a data breach in 2015. The Class includes individuals in the United States whose Personally Identifiable Information (PII) and/or Personal Health Information (PHI) was stored in Excellus’s systems between December 23, 2013 and May 11, 2015, and who (1) are included in Excellus’s list of Impacted Individuals and (2) whose PII and/or PHI currently resides in Excellus’s systems.
Attorneys representing the class announced the settlement earlier this month, which was reached with Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare and Blue Cross Blue Shield Association. The cyberattack affecting Excellus’s computer network was discovered on August 5, 2015.
The lawsuit alleged that the companies failed to protect customer information, waited too long to inform customers about the breach and did not give customers adequate information about how to protect themselves after the breach. As part of the agreement, the Excellus companies and BCBSA deny any wrongdoing, and no court has made a determination that the Excellus defendants and BCBSA have done anything wrong.
For more information about the settlement, including Class Members rights, the Excellus Data Breach Settlement Notice can be found at https://www.faraci.com/blog/2022/january/excellus-data-breach-settlement-notice/.
Plaintiffs were represented by attorneys at Weitz & Luxenberg, Faraci Lange, Gibbs Law Group LLP and Cohen & Malad LLP.
“We are pleased to reach this settlement on behalf of our clients, whose personal information may have been compromised as a result of this data breach,” said James Bilsborrow, of Weitz & Luxenberg, who was appointed co-lead class counsel in the Excellus class action litigation. “The settlement requires Excellus to make business-practice changes to better safeguard customer information in the future, which will make a data breach less likely in the future.”
Under the agreement, the required business-practice changes include:
- Increasing and maintaining a minimum information security budget.
- Developing a strategy to ensure records containing personally identifiable information (PII) or personal health information (PHI) are disposed of within one year of the original retention period.
- Making its network more secure related to its tools, processes and systems for detecting suspicious activity, authenticating users, responding to/containing security incidents, and document retention.
- Engaging in an extensive data archiving program with respect to its databases that maintain PII and PHI.
In exchange for these business practice changes and information exchanges, class members will release all claims for injunctive and declaratory relief they may have against Excellus defendants and BCBSA – but will not release claims for monetary damages.
The court will conduct a Final Approval Hearing using the Zoom for Government platform on Wednesday, April 13, 2022 at 1 p.m. to determine whether to grant final approval to the settlement. Directions for accessing the Final Approval Hearing may be obtained by contacting Hon. Elizabeth A. Wolford’s chambers at [email protected]