Decision to Dismiss Excellus Data Breach Class Action Reversed in Favor of Plaintiffs
U.S. District Court Judge Elizabeth A. Wolford, who is presiding over the Excellus data breach class action, reinstated certain plaintiffs’ claims in a decision released on Friday that reconsidered and reversed her previous ruling dismissing those claims.
In a decision last February, Judge Wolford ruled that four of the twenty named plaintiffs in the class action could not proceed with their claims as they had not alleged any misuse of their personally identifiable information due to the breach. According to this ruling, the plaintiffs’ risk of future harm was not “certainly impending” and so they had failed to allege an injury sufficient to establish Article III standing.
Following the February decision, the plaintiffs filed a motion for reconsideration in March, arguing the Court had relied on undeveloped details regarding the breach that should not have been considered at this stage.
The Second Circuit’s May decision in the Whalen v. Michaels Stores Inc. case also helped strengthen the plaintiffs’ motion for reconsideration.
The Whalen decision indicated in dicta that the theft of personally identifying information, such as Social Security numbers or birthdates, in a data breach would be enough for standing based on a threat of future harm.
“Until the Supreme Court or the Second Circuit definitively weighs in, in this circuit at least, harm based on the theft of personally identifying information, such as a Social Security number or date of birth, as alleged [by the Excellus plaintiffs], is sufficient to establish standing,” stated Judge Wolford in her decision.
The plaintiffs’ motion for reconsideration also revealed new evidence which established that three of the dismissed plaintiffs’ data had been extracted from Excellus and was for sale on the dark web. This reinforced their claims that their personally identifying information had been compromised and that hackers had harmful intentions.
Judge Wolford explained, “Had the court had the benefit of all this additional information when it rendered its decision and order, it would have reached a different conclusion — and it does so now.”
In a statement to the Democrat & Chronicle, Hadley Matarazzo, who is one of the lead counsels for the plaintiffs, said they are “…pleased by the Court’s ruling and are thankful that the claims of the representative plaintiffs whose personally identifiable and health information has been stolen, but not yet misused, are reinstated and will move forward on behalf of this class of individuals.”
How to Protect Yourself from Identity Theft after Your Data Has Been Breached
Following the unprecedented data breach at Excellus, the 10 million plus affected people are looking for ways to protect themselves from impending risk of future identity theft.
One of the best ways to protect oneself is to make sure that passwords are changed regularly and to not maintain the same password across various accounts.
In addition, freezing one’s credit with all three major credit bureaus is an excellent way to be sure that no unauthorized credit is issued in one’s name.
Finally, the Federal Trade Commission has a comprehensive ID protection guide that is a great resource. Visit their website for more information on how you can protect yourself from identity theft.
Plaintiffs Seek Reconsideration of Court’s Decision in Excellus Data Breach Case
On February 22, 2017, Judge Elizabeth A. Wolford of the United States District Court for the Western District of New York issued a 90-page decision granting in part and denying in part Defendants’ Motions to Dismiss.
In her decision, she dismissed the claims brought by those plaintiffs who had not yet experienced any actual identity theft or fraud, including four of the twenty named plaintiffs. Among other things, she reasoned that these plaintiffs, and those others affected by the Excellus Data Breach, have not yet been legally injured until they experience actual fraud or identity theft.
On March 22, 2017, Plaintiffs’ Lead Counsel filed a Motion for Reconsideration with the Court. In the Motion, Plaintiffs asked the Court to reconsider its decision on a number of legal grounds, including newly discovered evidence found by their experts that shows that both those plaintiffs who have already experienced identity theft and those who have not face a substantial risk of harm in that certain plaintiffs’ information has been found for sale on the Dark Web.
The experts conducted these searches to see what information was actually available. In most instances, it was email addresses and passwords that were found, but in others, social security numbers and/or dates of birth were also found. Unfortunately, the purchase of sensitive information on the Dark Web does not protect victims. Individuals who sell this information can just turn around and sell it again in the future and, according to our experts, often do sell the information multiple times, which is why some of the plaintiffs have continued to experience more fraud.
The Excellus Defendants have until May 3, 2017 to respond to our Motion. Plaintiffs then have one more opportunity to submit papers due May 17, 2017.
It is not known when the Court will issue a decision on Plaintiffs’ Motion for Reconsideration, but expect it will be sometime this year.
Cybersecurity Attacks are 2016’s Leading Cause of Healthcare Data Breaches
The top ten data breaches within the healthcare industry in 2016 were caused primarily by cybersecurity attacks such as ransomware and unauthorized access.
In 2016, approximately 300 data breach incidents were reported to the Office for Civil Rights, among which 95 were caused by an IT-related or hacking occurrence and 125 stemmed from unauthorized access or disclosure. Theft of devices or records caused 58 of the reported breaches, while 16 were accredited to loss and seven to improper disposal.
HealthITSecurity‘s published their annual countdown of 2016’s top ten data breaches in the healthcare industry:
10. Premier Healthcare, LLC
9. Central Ohio Urology Group, Inc.
8. California Correctional Health Care Services
7. Radiology Regional Center, PA
6. Peachtree Orthopaedic Clinic
5. Bon Secours Health System Incorporated
4. Valley Anesthesiology and Pain Consultants
3. 21st Century Oncology
2. Newkirk Products, Inc.
1. Banner Health
One of the largest healthcare data breaches of 2015 was the Excellus data breach, which compromised the personal health information of over 10 million people.
An Excellus class action lawsuit, which was co-lead by Faraci Lange’s Hadley Matarazzo, alleged that the company failed to protect customer information, waited too long to tell customers about the breach and did not give customers adequate information about how to protect themselves in the wake of the breach.
Learn more about the Excellus data breach lawsuit here.
Court Holds Hearings on Excellus Class Action Case
Earlier this year, the Defendants filed papers with the Court asking that the Class Action case be dismissed on various legal grounds. Plaintiffs filed opposition papers asking the Court to continue the case.
In September, Judge Elizabeth A. Wolford of the United States District Court for the Western District of New York held a hearing to hear argument on the various legal issues presented in the motion to dismiss papers and to ask the attorneys questions.
The hearing lasted over three and one-half hours, which is significantly longer than most hearings on a motion to dismiss, with Hadley Matarazzo and James Bilsborrow arguing on behalf of the plaintiffs.
The Court is expected to issue a decision on the case by the end of December.
To view copies of the motion papers filed by all of the parties, click here.
Data Breaches Should Be Scored
Forbes author, Dan Munro, discusses how healthcare is a soft target for cyberattacks and how these data breaches should be scored.
“For the second time in three years, a healthcare data breach was announced around the biggest cybersecurity conferences of the year–Black Hat. Two years ago it was the CHS breach affecting about 4.5 million patients, and earlier this month Banner Health–America’s 15th largest hospital system–announced a data breach affecting 3.7 million people.”
Jeff Williams, who has been in the security industry for over 20 years, suggested that, “we need a system for scoring data breaches and corporate response across key variables as a critical and tangible way to change the dynamic quickly after an announcement. Actually applying an independent score to a data breach could be an effective way to accelerate the path to remediation and restoring trust.”
Here is what Williams thinks a possible rubric for scoring data breaches would look like:
“Tone: Is the announcement apologetic and not blaming? Does it acknowledge that there should have been better defenses, that the breach should have been detected and that the organization should have been able to stop the attack?
Timeline: When was the initial break-in? When was it discovered? How long to disclosure?
Scope: What information was stolen and what control was lost?
Size: How many people were affected? How many servers?
Root Cause: What was the underlying vulnerability that was exploited? What defenses are in place and how did the attack bypass the defenses?
Discovery: Who discovered it? Victims? A security firm? Why didn’t you know earlier?
Remedy: Are you really making victims whole? For how long? [Personal health information–PHI–is literally lifelong]
Future: What are going to do to prevent future/similar attacks?
Blame: Did you state or imply that the attack was “sophisticated” or “advanced?” Did you provide any evidence of that?
Oddities: Were there any oddities to the timeline not making sense–or details that stretch credulity?”
When asked how he would score the Banner Health data breach, Williams provided the following answer:
“For fun, I did an abbreviated disclosure scoring. Overall I give them a C-/D+. There is still an awful lot of missing information. What is there isn’t bad, but we only have a tiny piece of the story of this breach. And they don’t seem too sorry.
- Tone: [C] I’m not convinced. The only recognition of responsibility is the statement “Banner Health deeply regrets any inconvenience this may have caused.”
- Timeline: [C] Good details. Why did it take three weeks to discover the attack? Why another week to discover the attack on patient information and why did they take almost a month to say anything to the public? No details on how long attackers were in the systems before they were discovered?
- Scope: [B] Decent details about information types disclosed. No information about the depth of the breach.
- Size: [C] The numbers for each different type of information breached is still fuzzy. 3.7M seems to be the total number. No information about what systems were compromised.
- Root Cause: [F] No information provided. This certainly seems like SQL injection is a strong possibility.
- Discovery: [F] No information provided. Did consumers report unauthorized or suspicious transactions? Did the credit card company let Banner know? Was it discovered during routine security sweeps?
- Remedy: [D] No details on any specific fixes for this breach. Credit card monitoring (of little real value) for victims will be provided for a period of time–even though healthcare data is lifelong.
- Future: [F] No clarity or visibility on any long-term changes. What are they doing to establish a culture of security that deserves my future trust? No idea.
- Blame: [D] Why does the disclosure spend a paragraph warning customer to “remain vigilant” and to monitor statements from payment cards and health providers?
- Oddity: [F] The fact that there were two separate breaches indicates a much deeper breach, but no information about this was provided.”
Protected Health Information (PHI) is a lot more valuable to hackers than financial data as it is lifelong, difficult to correct, and can be used for countless fraudulent activities.
Read the full article here.
Consumers Refuse to Allow Blue Cross to Escape Data Breach Claims
On Thursday, consumers in New York federal court argued that the Blue Cross Blue Shield Association cannot escape the class action claims it faces over a health insurance data breach and must be held responsible for failing to protect sensitive information.
The BCBSA proposed a bid to shake the data breach claims against Excellus BlueCross BlueShield, which is one of its licensees. Customers fiercely criticized this bid, contending that Excellus had signed a contract promising health care to federal workers and it would ensure the protection of consumer information.
The proposed class action lawsuits, which began after hackers gained access to about 10 million consumer records, allege that the company “failed to protect customer information, waited too long to tell customers about the breach and did not give customers adequate information about how to protect themselves in the wake of the breach.”
BCBSA moved to toss the data breach claims against it last month, arguing that it merely entered into the contract on behalf of independent insurance companies that it licenses the Blue Cross and Blue Shield marks to.
Faraci Lange partner Hadley L. Matarazzo, who represents the customers, told Law360 that “BCBSA, as sponsors and administers of a health plan for federal employees, made certain promises regarding data security that they failed to live up to.”
Read the full article here.