Decision to Dismiss Excellus Data Breach Class Action Reversed in Favor of Plaintiffs

Excellus Data Breach LawsuitU.S. District Court Judge Elizabeth A. Wolford, who is presiding over the Excellus data breach class action, reinstated certain plaintiffs’ claims in a decision released on Friday that reconsidered and reversed her previous ruling dismissing those claims.

In a decision last February, Judge Wolford ruled that four of the twenty named plaintiffs in the class action could not proceed with their claims as they had not alleged any misuse of their personally identifiable information due to the breach. According to this ruling, the plaintiffs’ risk of future harm was not “certainly impending” and so they had failed to allege an injury sufficient to establish Article III standing.

Following the February decision, the plaintiffs filed a motion for reconsideration in March, arguing the Court had relied on undeveloped details regarding the breach that should not have been considered at this stage.

The Second Circuit’s May decision in the Whalen v. Michaels Stores Inc. case also helped strengthen the plaintiffs’ motion for reconsideration.

The Whalen decision indicated in dicta that the theft of personally identifying information, such as Social Security numbers or birthdates, in a data breach would be enough for standing based on a threat of future harm.

“Until the Supreme Court or the Second Circuit definitively weighs in, in this circuit at least, harm based on the theft of personally identifying information, such as a Social Security number or date of birth, as alleged [by the Excellus plaintiffs], is sufficient to establish standing,” stated Judge Wolford in her decision.

The plaintiffs’ motion for reconsideration also revealed new evidence which established that three of the dismissed plaintiffs’ data had been extracted from Excellus and was for sale on the dark web. This reinforced their claims that their personally identifying information had been compromised and that hackers had harmful intentions.

Judge Wolford explained, “Had the court had the benefit of all this additional information when it rendered its decision and order, it would have reached a different conclusion — and it does so now.”

In a statement to the Democrat & Chronicle, Hadley Matarazzo, who is one of the lead counsels for the plaintiffs, said they are “…pleased by the Court’s ruling and are thankful that the claims of the representative plaintiffs whose personally identifiable and health information has been stolen, but not yet misused, are reinstated and will move forward on behalf of this class of individuals.”


Cybersecurity Attacks are 2016’s Leading Cause of Healthcare Data Breaches

The top ten data breaches within the healthcare industry in 2016 were caused primarily by cybersecurity attacks such as ransomware and unauthorized access.

In 2016, approximately 300 data breach incidents were reported to the Office for Civil Rights, among which 95 were caused by an IT-related or hacking occurrence and 125 stemmed from unauthorized access or disclosure. Theft of devices or records caused 58 of the reported breaches, while 16 were accredited to loss and seven to improper disposal.

HealthITSecurity‘s published their annual countdown of 2016’s top ten data breaches in the healthcare industry:

10. Premier Healthcare, LLC

9. Central Ohio Urology Group, Inc.

8. California Correctional Health Care Services

7. Radiology Regional Center, PA

6. Peachtree Orthopaedic Clinic

5. Bon Secours Health System Incorporated

4. Valley Anesthesiology and Pain Consultants

3. 21st Century Oncology

2. Newkirk Products, Inc.

1. Banner Health

One of the largest healthcare data breaches of 2015 was the Excellus data breach, which compromised the personal health information of over 10 million people.

An Excellus class action lawsuit, which was co-lead by Faraci Lange’s Hadley Matarazzo, alleged that the company failed to protect customer information, waited too long to tell customers about the breach and did not give customers adequate information about how to protect themselves in the wake of the breach.

Learn more about the Excellus data breach lawsuit here.


Consumers Refuse to Allow Blue Cross to Escape Data Breach Claims

On Thursday, consumers in New York federal court argued that the Blue Cross Blue Shield Association cannot escape the class action claims it faces over a health insurance data breach and must be held responsible for failing to protect sensitive information.

The BCBSA proposed a bid to shake the data breach claims against Excellus BlueCross BlueShield, which is one of its licensees. Customers fiercely criticized this bid, contending that Excellus had signed a contract promising health care to federal workers and it would ensure the protection of consumer information.

The proposed class action lawsuits, which began after hackers gained access to about 10 million consumer records, allege that the company “failed to protect customer information, waited too long to tell customers about the breach and did not give customers adequate information about how to protect themselves in the wake of the breach.”

BCBSA moved to toss the data breach claims against it last month, arguing that it merely entered into the contract on behalf of independent insurance companies that it licenses the Blue Cross and Blue Shield marks to.

Faraci Lange partner Hadley L. Matarazzo, who represents the customers, told Law360 that “BCBSA, as sponsors and administers of a health plan for federal employees, made certain promises regarding data security that they failed to live up to.”

Read the full article here.