The Excellus data breach was one of the biggest and most significant cyberattacks in 2015. It affected the personally identifiable information (PII) and protected health information (PHI) of more than 9.3 million patients nationwide. Finally, the plaintiffs’ attorneys and the company have reached a settlement in the Excellus HIPAA class action lawsuit, pending judicial review.
The Excellus Health Plan Data Breach History
In August 2015, the health insurance company Excellus hired a cybersecurity firm to assess its information technology system. As a result, there was a detected cyberattack and experts discovered that hackers had first gained access to the system on December 23, 2013. They were active within its network until August 18, 2014. Those attackers installed malware and got access to its network until May 11, 2015. However, something happened that prevented the hackers from entering the system.
Excellus filed then a breach report with the OCR In September 2015. It discloses that cybercriminals had free access to patient files containing ePHI from December 2013 through May 2015. That is to say, it took Excellus 17 months from the initial intrusion to detect the security breach. The HHS’ Office for Civil Rights (OCR) launched an investigation into the data breach and uncovered several potential violations of the HIPAA Rules. Excellus agreed to pay a financial penalty of $5.1 million to resolve the HIPAA violations after settling that case in January 2021. They also implemented a corrective action plan to address the security failures and the alleged HIPAA non-compliance issues.
Excellus HIPAA Class Action Lawsuit
In January 2022, attorneys announced the settlement with Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and Blue Cross Blue Shield Association (BCBSA).
The lawsuit alleged that the companies did not protect PHI and PII in an adequate way. The workers failed to inform customers of the data breach. There was a lack of inadequate information for customers about how to protect themselves from the effects of the violation.
Therefore, the Excellus company had to make the following changes in the security policy:
- Develop strategies to ensure records containing disposed PHI within one year of the original retention period;
- Make its network more secure related to its tools, processes, and systems for detecting suspicious activity;
- Engage in an extensive data-archiving program for its databases;
- Increase and maintain a minimum information security budget.
The settlement must still be approved by the judge overseeing the case. A hearing is scheduled for April 13, 2022.
