Share this article on:
The Excellus data breach, first reported earlier this month, potentially exposed the Protected Health Information (PHI) of approximately 10.5 million health insurance subscribers. The Rochester-based insurer is investigating the malware infection that caused to the breach, but many victims have been left puzzled over what went wrong, and how their data came to be exposed. On Friday, nine days after the Excellus data breach was announced, New York State Sen. Michael Nozzolio wrote a 4-page letter to the health insurer demanding answers.
The data breach is understood to have affected 7 million health insurance subscribers, in addition to 3.5 million customers of its affiliates, Lifetime Healthcare Companies. Excellus BlueCross BlueShield is in the process of notifying all affected individuals about the exposure of their PHI, yet the information provided so far has been insufficient, according to the senator, who claims the company “has not been sufficiently transparent, nor comprehensive.”
The letter, posted on the New York Senate website, says “Victims of this cyberattack simply have not been provided with adequate information about the scope and nature of the unauthorized access of their confidential personal and medical information, nor have they been assured all necessary steps are being taken to prevent this from happening again.”
More Questions Unanswered than Answered about Excellus Data Breach
Nozzolio seeks answers to a number of questions on behalf of the victims. Top of that list is how such an extensive data breach could have remained undetected for 20 months. The Excellus data breach was first discovered on August 5, 2015, yet the investigation revealed malware was first downloaded on December 23, 2013.
A question has also been asked about how the data breach was discovered. Excellus hired a third party security firm to perform an analysis of its computer network, yet no information was provided as to why the company was hired, and what prompted the audit of its computers. Nozzolio also wants to know why it took 5 weeks for Excellus to inform victims about the exposure of their PHI.
The senator wants subscribers to be given an accurate estimate of the level of risk they face, asking “did the hackers have prolonged access to confidential data within the Excellus system during the past 20 months?”
The letter criticizes Excellus for an apparent failure to perform periodic audits of its systems. Other health insurers discovered hackers had gained access to huge volumes of data earlier this year – Anthem and Premera – and in these cases it was clear that access had been gained to data many months previously. The senator has asked if penetration testing and security vulnerability investigations had previously taken place. Given the severity of past attacks on other insurers, malware scans should have been conducted frequently.
One very important point raised, is who exactly has been affected by the Excellus data breach? The initial announcement said “This incident affects members, patients or others who have done business with the impacted plans listed below.” The senator has asked who exactly this statement refers to. “Others who have done business with the impacted plans” could involve an extensive list of organizations and individuals, yet these have not been provided. The senator has asked whether “every hospital, pharmacy, physician and other type of medical provider affiliated with its network might be impacted by this cyberattack.” It is felt that the information provided to the victims so far leaves more questions unanswered than answered.
Class-Action Lawsuit Filed for Excellus Data Breach
The investigation into the Excellus data breach may not yet have concluded, but time waits for no lawyer. Victims of the data breach are already being signed up for a class-action suit against the Rochester health insurer. The first (and certainly not the last) lawsuit was filed on Friday by lawyers for plaintiffs Matthew Fero, Shirley Krenzer and Erin O’Brian, whose PHI was exposed in the security breach, with class-action status sought in New York and nationwide. The plaintiffs are seeking as of yet unspecified damages and legal fees from the insurer, with a jury trial also requested.
The lawsuit claims the health insurer has been negligent by failing to put sufficient protections in place to keep the Protected Health Information of plan members secure, and also claims Excellus BlueCross BlueShield breached its contract with subscribers.
The breach closely followed an announcement by the FBI that the Protected Health Information of healthcare patients and health insurance subscribers is being targeted by malicious outsiders. The lawsuit claims that Excellus should have heeded this warning and put additional safeguards in place in light of the increased risk of cyberattacks.
Unspecified Damages and Extended Credit Monitoring Services Sought
In addition to the damages being sought, the plaintiffs – represented by Hadley Matarazzo from legal firm Faraci Lange – are seeking additional cover in light of the increased risk of identity theft they now face. Matarazzo said last week, “What we’re looking for is whatever we need to do assist the plaintiffs in restoring them back to the situation [before] the breach,” She went on to say, “it’s well-known that free monitoring runs out after a relatively short time, so anyone who has stolen information can wait until the protection expires. Excellus has offered credit monitoring and credit protection services to the 10.5 million victims of the breach for a period of two years without charge.
Matarazzo also pointed out that credit monitoring services have not been offered to the most vulnerable breach victims. Minors are not permitted to sign up for the services, yet these individuals are the most vulnerable. Hackers are particularly interested in obtaining the Social Security numbers and healthcare data of individuals under the age of 18 years, as the information can be used to rack up huge debts in their names. Parents rarely check to see if the identities of their children have been stolen, allowing data thieves years to use the data with little risk of being caught.
This may well be the case, but Excellus BCBS has not left minors unprotected. Credit monitoring services may not be offered, but minors affected by the Excellus data breach will benefit from identity theft protection and credit restoration services.