HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Senator Calls for Answers over Excellus Data Breach; Lawyers Seek Damages for Victims

The Excellus data breach, first reported earlier this month, potentially exposed the Protected Health Information (PHI) of approximately 10.5 million health insurance subscribers. The Rochester-based insurer is investigating the malware infection that caused to the breach, but many victims have been left puzzled over what went wrong, and how their data came to be exposed. On Friday, nine days after the Excellus data breach was announced, New York State Sen. Michael Nozzolio wrote a 4-page letter to the health insurer demanding answers.

The data breach is understood to have affected 7 million health insurance subscribers, in addition to 3.5 million customers of its affiliates, Lifetime Healthcare Companies. Excellus BlueCross BlueShield is in the process of notifying all affected individuals about the exposure of their PHI, yet the information provided so far has been insufficient, according to the senator, who claims the company “has not been sufficiently transparent, nor comprehensive.”

The letter, posted on the New York Senate website, says “Victims of this cyberattack simply have not been provided with adequate information about the scope and nature of the unauthorized access of their confidential personal and medical information, nor have they been assured all necessary steps are being taken to prevent this from happening again.”

More Questions Unanswered than Answered about Excellus Data Breach


Nozzolio seeks answers to a number of questions on behalf of the victims. Top of that list is how such an extensive data breach could have remained undetected for 20 months. The Excellus data breach was first discovered on August 5, 2015, yet the investigation revealed malware was first downloaded on December 23, 2013.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A question has also been asked about how the data breach was discovered. Excellus hired a third party security firm to perform an analysis of its computer network, yet no information was provided as to why the company was hired, and what prompted the audit of its computers. Nozzolio also wants to know why it took 5 weeks for Excellus to inform victims about the exposure of their PHI.

The senator wants subscribers to be given an accurate estimate of the level of risk they face, asking “did the hackers have prolonged access to confidential data within the Excellus system during the past 20 months?”

The letter criticizes Excellus for an apparent failure to perform periodic audits of its systems. Other health insurers discovered hackers had gained access to huge volumes of data earlier this year – Anthem and Premera – and in these cases it was clear that access had been gained to data many months previously. The senator has asked if penetration testing and security vulnerability investigations had previously taken place. Given the severity of past attacks on other insurers, malware scans should have been conducted frequently.

One very important point raised, is who exactly has been affected by the Excellus data breach? The initial announcement said “This incident affects members, patients or others who have done business with the impacted plans listed below.” The senator has asked who exactly this statement refers to. “Others who have done business with the impacted plans” could involve an extensive list of organizations and individuals, yet these have not been provided. The senator has asked whether “every hospital, pharmacy, physician and other type of medical provider affiliated with its network might be impacted by this cyberattack.” It is felt that the information provided to the victims so far leaves more questions unanswered than answered.

Class-Action Lawsuit Filed for Excellus Data Breach


The investigation into the Excellus data breach may not yet have concluded, but time waits for no lawyer. Victims of the data breach are already being signed up for a class-action suit against the Rochester health insurer. The first (and certainly not the last) lawsuit was filed on Friday by lawyers for plaintiffs Matthew Fero, Shirley Krenzer and Erin O’Brian, whose PHI was exposed in the security breach, with class-action status sought in New York and nationwide. The plaintiffs are seeking as of yet unspecified damages and legal fees from the insurer, with a jury trial also requested.

The lawsuit claims the health insurer has been negligent by failing to put sufficient protections in place to keep the Protected Health Information of plan members secure, and also claims Excellus BlueCross BlueShield breached its contract with subscribers.

The breach closely followed an announcement by the FBI that the Protected Health Information of healthcare patients and health insurance subscribers is being targeted by malicious outsiders. The lawsuit claims that Excellus should have heeded this warning and put additional safeguards in place in light of the increased risk of cyberattacks.

Unspecified Damages and Extended Credit Monitoring Services Sought


In addition to the damages being sought, the plaintiffs – represented by Hadley Matarazzo from legal firm Faraci Lange – are seeking additional cover in light of the increased risk of identity theft they now face. Matarazzo said last week, “What we’re looking for is whatever we need to do assist the plaintiffs in restoring them back to the situation [before] the breach,” She went on to say, “it’s well-known that free monitoring runs out after a relatively short time, so anyone who has stolen information can wait until the protection expires. Excellus has offered credit monitoring and credit protection services to the 10.5 million victims of the breach for a period of two years without charge.

Matarazzo also pointed out that credit monitoring services have not been offered to the most vulnerable breach victims. Minors are not permitted to sign up for the services, yet these individuals are the most vulnerable. Hackers are particularly interested in obtaining the Social Security numbers and healthcare data of individuals under the age of 18 years, as the information can be used to rack up huge debts in their names. Parents rarely check to see if the identities of their children have been stolen, allowing data thieves years to use the data with little risk of being caught.

This may well be the case, but Excellus BCBS has not left minors unprotected. Credit monitoring services may not be offered, but minors affected by the Excellus data breach will benefit from identity theft protection and credit restoration services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.