Class action suit brought against Excellus over hack
A class action lawsuit claiming negligence and breach of contract was filed Friday against Rochester's largest insurer in the wake of a data breach that potentially exposed personal information of millions of people.
The complaint on behalf of Matthew Fero, Shirley Krenzer and Erin O'Brien names Excellus Health Plan Inc. and Lifetime Healthcare Inc. The complainants are seeking nationwide and New York class status and awards of unspecified damages and legal fees. There is a request for a jury trial.
Fero and Krenzer are current Excellus subscribers. O'Brien was a subscriber until April, according to the suit.
"To the best of my knowledge, this is the first one to be filed," said Hadley Matarazzo, partner with Faraci Lange, who filed the suit in U.S. District Court in Rochester. "Additional ones may be filed."
As of Friday evening, Excellus and Lifetime Healthcare had yet to be served with the lawsuit.
Asked for a response to the lawsuit, Excellus spokesman Jim Redmond wrote in an email that the company does not comment on litigation.
If the lawsuit is not certified as class action, individuals can proceed on their own, Matarazzo said.
Excellus records hacked; 10.5 million records affected
The lawsuit was filed just over a week after Excellus BlueCross BlueShield and parent Lifetime Healthcare Cos. announced a "sophisticated cyberattack" of their information technology system. They said they learned of the breach Aug. 5. However, they acknowledged an initial hack in December 2013 that went undiscovered and said it wasn't until a cybersecurity firm was hired as a result of hacks on other insurers that their own breach was detected.
Apparently concerned with Excellus' response, Sen. Michael Nozzolio, R-Seneca Falls, wrote a sharp letter this week to Lifetime Healthcare President and Chief Executive Officer Christopher Booth. Nozzolio questioned Booth on several areas related to the hack and its aftermath, wanting to know exactly what happened, why it took so long for the breach to be detected and what's being done to make everything right.
"I wanted to make it as pointed as possible," Nozzolio said in a phone interview.
Nozzolio posted the letter on his website on Thursday and emailed constituents. "It is my hope Excellus will respond with answers to the questions I have raised and provide critically important information on what steps they are taking to provide adequate protections to their subscribers," he wrote to them.
Nozzolio said he asked for written responses, which he said he would post on his website.
Redmond wrote that Excellus received the letter and "will be responding soon."
Excellus hack may have jeopardized former subscribers
Approximately 10.5 million individuals may have been affected by the breach, which followed hacks of health insurers elsewhere in the country, notably other Blues plans Anthem and Premera. Excellus has about 1.6 million members, but the breach affects current and former subscribers, patients and others who do business with Excellus and Lifetime Healthcare. Members of other Blues plans who were treated in the 31 counties serviced by Excellus also were affected, which is why the potential number is so high.
The lawsuit states that the number of security breaches in just 2014 and 2015 "should have placed Defendants on notice of the need to improve its cyber security systems." The suit made reference to a "'flash warning'" by the FBI to the health care industry that it had observed " 'malicious actors targeting health care related systems, perhaps for the purpose of obtaining Protected Healthcare Information … .'"
The suit claims the company was negligent in maintaining subscriber data, catching the breach and taking the necessary steps to ensure the system was secure and that any breaches were caught in a timely fashion.
Redmond wrote that an investigation has not determined that any data were removed. He wrote the investigation continues and "to date there is no evidence that any data has been used inappropriately." He wrote he could not provide details because of an ongoing FBI investigation.
However, he wrote, the attack did not involve a virus. "The malware used by the attackers cannot be passed from one network to another without attackers intentionally inserting the malware into the second network. Further, working with Mandiant, we removed the malware used by the attackers on our IT systems and the attack has been blocked."
Mandiant is the cybersecurity firm that discovered the breach.
The lawsuit states that the privacy policy on the Excellus website makes it clear that "Defendants are aware of the importance their customers place on privacy, as well as their duty to safeguard the personal and health information that their customers supply to them, and to promptly notify their customers if their information is compromised."
Excellus and Lifetime are offering two years of credit monitoring and identify theft protection to people affected. But the lawsuit claims that is not enough.
"What we're looking for is whatever we need to do assist the plaintiffs in restoring them back to the situation (before) the breach," Matarazzo said. "We would like protection against identity theft well into the future." She said it's well-known that free monitoring runs out after a relatively short time, so anyone who has stolen information can wait until the protection expires.
Redmond wrote that tens of thousands of those affected have signed up "and the numbers are constantly growing."
However, credit monitoring is not available to anyone younger than 18, which Matarazzo said leaves children particularly vulnerable. "Someone can use the identity of the kids because you wouldn't know about it."
Asked about protection for children, Redmond wrote that free identify theft protection is available for members' children until Sept. 9, 2019. He said the child's identity theft protection services include consultation and restoration.
Excellus and Lifetime Healthcare continue to send letters about the data breach and what's being done to protect you and your family.
If you have questions, you can go to www.excellusfacts.com or lifethcfacts.com, or call (877) 589-3331.
PSINGER@Gannett.com