Data Breach Lawsuit Against Excellus BCBS Survives Motion to Dismiss, in Part

A lawsuit filed by plaintiffs whose ePHI was exposed as a result of a cyberattack on Excellus BlueCross BlueShield has survived a motion to dismiss. The United States District Court of the Western District of New York has both granted, in part, and denied, in part, the motions to dismiss.

The hacking of Excellus BlueCross BlueShield in 2013 resulted in the exposure of the protected health information of more than 10 million health insurance subscribers. The data breach was discovered in 2015, some 20 months after access to members’ data was first gained.

Following the discovery of the cyberattack, Excellus hired cybersecurity firm Mandiant to conduct a forensic analysis which revealed malware had been installed on the network. While the malware could potentially have resulted in the theft of PHI, no evidence of data exfiltration was discovered, although the possibility that data was stolen could not be ruled out.

Multiple lawsuits were filed against Excellus BCBS, which were consolidated into one case – Matthew Fero, et al., vs Excellus Health Plain Inc.

The plaintiffs allege Excellus was negligent for failing to implement sufficient measures to safeguard the confidentiality, integrity and availability of their electronic protected health information. The plaintiffs also allege breach of implied covenant of good faith and fair dealing, breach of contract, third-party beneficiary breach of contract for the Federal Employee class, negligent misrepresentation, unjust enrichment, violations of state consumer protection laws, violation of the California Customer Records Act, and violations of state insurance personal privacy statutes.

Many lawsuits are filed following healthcare data breaches even though actual losses have not been suffered. Plaintiffs claim that the theft of data places them at a future risk of harm. However, in this case, a number of plaintiffs claim they have suffered actual losses as a direct result of the breach.

Four plaintiffs allege fraudulent tax returns were filed in their names, three allege they suffered identity theft, while twelve allege they have been victims of credit/debit card fraud. All said they had to spend time mitigating risk and that they suffered anxiety and fear of identity theft as a direct result of the breach. All claim they face a future risk of harm as a result of the cyberattack.

Excellus filed two motions to dismiss the lawsuit for lack of standing and failure to state a claim. Excellus sought to dismiss the lawsuit for lack of standing with two separate arguments. First, four plaintiffs did not allege they suffered any misuse of their personally identifiable information due to the cyberattack. Second, the remaining sixteen defendants failed to allege facts to establish that the harm suffered was traceable to the Excellus cyberattack.

United States District Judge Elizabeth A. Wolford ruled that the two motions to dismiss were both granted and denied, in part.

For the plaintiffs that did not allege they had suffered actual harm or losses as a result of the cyberattack, the claims were dismissed without prejudice, although in all other respects the motion to dismiss was denied.

The motion to dismiss for the failure to state a claim was granted, in part, with respect to the claim for breach of the implied covenant of good faith and fair dealing, the negligent misrepresentation claim, the CCRA claim, and NJIPPA and NCCIPA claims, which were dismissed with prejudice, with the exception of the plaintiffs’ claim of breach of the implied covenant of good faith of fair dealing, which may be pursued as part of the breach of contract claim. The plaintiffs’ will be allowed to replead the negligent misrepresentation claim. The claim for misrepresentation was dismissed as none of the plaintiffs alleged they had actually read the privacy and security notices prior to taking out

The ruling follows many similar cases, in that the claims for future losses were deemed too speculative. Due to the volume of healthcare data breaches that are now being discovered, it is increasingly common for defendants to argue that alleged losses are not traceable to a specific breach. In this case, Judge Elizabeth Wolford ruled that Excellus’s arguments that the alleged identity theft and other instances of data misuse could not be traced to the 2013 cyberattack had failed, and that the alleged losses were fairly traceable to the cyberattack.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.