Excellus, an upstate New York health insurance carrier, released a statement that it was the latest to fall prey to cyber attackers in December 2013. After learning of the cyber attacks on Anthem, Premera and CareFirst, the Rochester based Excellus BlueCross BlueShield decided to call in the cyber security firm Mandiant to conduct an extensive investigation and analysis of its network systems.
On August 5, 2015 Mandiant reported to Excellus that its IT network had in fact suffered a “sophisticated” cyber breach dating back to December 23, 2013. Excellus immediately began an internal investigation in conjunction with the FBI and Mandiant. The Rochester based health insurer announced that hackers gained access to the personal information of more than 10.5 million current and former Excellus customers, vendors of Excellus’ parent company Lifetime HealthCare as well as Lifetime subsidiaries.
The breach exposed the names, addresses, Social Security numbers, medical claim records, insurance identification numbers, and financial information of Excellus current and former policy holders. However, in the two-page letter from Excellus, though it admits hackers were able to access sensitive personal data it does not state that any of the breached data has been utilized by hackers. Company spokesperson, Jim Redmond stated, “We did not find any evidence of the collection or exfiltration of sensitive data and, to date, there is no evidence that any data has been used inappropriately.” Redmond added that due to the ongoing FBI investigation he could not provide any further details at this time.
But, as has become standard practice now in the wake of cyber breaches, Excellus too is offering two years of free credit monitoring and other forms of identity theft protection to the 10.5 million people whose information was stolen, not that it can actually prevent identity theft though. They are also offering free identity theft consultation and restoration for the children of customers who were affected until September 9, 2019.
As time marched on and the investigation continued, at least five potential class action lawsuits were filed in the Western District Court of New York, which brought the total number of lawsuits from current and former Excellus customers who were affected by the breach to twelve. This is in stark contrast to the claims made by Jim Redmond that “there is no evidence that any data has been used inappropriately” the potential class action and private lawsuits would certainly challenge the validity of Redmond’s statement as three of the twelve suits claim they have already suffered identity theft, medical identity theft, tax fraud and/or credit card fraud as a result of the breach.
All of the suits allege that Excellus did not provide adequate computer security of their personal data, negligence and failure to respond properly to a warning from the FBI in April, 2014 that illuminated the vulnerability of healthcare insurers in particular and possibly could have prevented the breach from happening had the company heeded the warning. The combined 301 pages of the complaints describe in a lengthy number of ways the array of the allegations the plaintiffs have filed suit over, this particular filing on behalf of Katie Fuller and her three children succinctly sums up what most of the plaintiffs allege:
As a direct and proximate result of Defendants’ wrongful actions, inaction and omissions, and the resulting data breach, Class members have suffered and will continue to suffer economic damages, including inter alia the costs of monitoring their credit, monitoring their financial accounts, and mitigating their damages, and they face an immediate and substantial risk of identity theft and fraud, as well as damage to their credit score.
At best, the credit monitoring service offered by defendants may reveal new credit accounts opened with compromised information, but it does nothing to prevent unauthorized charges made to existing accounts.
Fuller, like the other Excellus members, who filed suit feel the company’s response and offer of credit monitoring for two years is not sufficient for a data breach of this nature. The financial and medical information the hackers now have access to poses a long term threat that can not only be troublesome and time consuming, but also very costly.
In particular medical identity theft can cost a victim any where from $13,500 dollars to in excess of $20,000 to clean up and rectify and typically is a long and complicated process. Hackers can simply wait out the credit monitoring two year time period and then utilize the stolen information, the plaintiffs of these law suits are seeking a long term solution to the heightened risk situation they are now in due to the data breach.
In the wake of all the cyber intrusions in recent years, the topic has become a political hotspot, with consumer advocates calling for strict nationwide legislation requiring adequate protections of consumer data by companies that are storing it. Perhaps they should include in these new bills that companies are required to carry adequate cyber insurance policies as well.
Additional Resources About This Breach: