Health insurer Excellus is latest to argue that hacked data could’ve come from anywhere

Four years after hackers gained a foothold in Excellus's systems, court battles continue.
(Quinn Dombrowski / Flickr)

Four years after Excellus BlueCross BlueShield was hacked and more than 10 million members had their data exposed, the insurer remains on the defensive in class action lawsuits claiming it ignored cybersecurity at peril of its own members.

Excellus failed last week in an attempt to win dismissal of a suit after arguing unsuccessfully that the data stolen and used against the victims could plausibly have come from any hack anywhere.

Part of the $6.6 billion group of Lifetime healthcare companies, Excellus took 20 months to detect the breach from its 2013 beginnings and another month to disclose it in September 2015. The lawsuits have piled on since then as members claim they were victims of identity theft, false tax filings and credit fraud.

Arguing that the 2013 breach happened due significantly to negligence, the lawsuit plaintiffs alleged that a May 2012 audit of Univera Healthcare, an Excellus company and a defendant in the lawsuit, found that the healthcare company’s “Risk Assessment Policies & Procedures failed to identify the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI.” The audit was carried out by KPMG, one of the big four auditor firms in the U.S., which was hired by the Department of Health and Human Services’ Office for Civil Rights.


In April 2014 — after the hack happened but before it was discovered — the FBI Cyber Division issued a Private Industry Notification outlining that “the health care industry is not technically prepared to combat against cyber criminals,” and that the industry was far less ready to deal with challenges than the financial and retail sectors, making intrusions even more likely.

Courts have consistently rejected arguments from corporations claiming that lawsuits need to immediately and concretely link data misuse to the data breaches. Instead the courts have said that in the early days of a lawsuit, it is enough for plaintiffs to posit plausible allegations that then must be supported.

What’s traceable?

Similar augments were seen against lawsuits following the Target hack in 2013, a milestone corporate security disaster that is credited with forcing executives and board rooms to more fully pay attention to cybersecurity after years of neglect. In the Target case, the judge found it was sufficient that the store admitted the victims’ private information was breached and exposed to hackers. Companies like the online retailer Zappos and the restaurant chain P.F. Chang’s, which suffered a breach in 2014, have tried and failed with the same argument during their own years long post-hack litigations.

The question raised by the corporations is whether the harm done to these victims is “fairly traceable” to this exact data breach and to their own security failures. Excellus’ arguments failed when U.S. District Judge Elizabeth Wolford said the lawsuit’s complaint plausibly alleged the identity theft and various misuses of data can be fairly traced to the Excellus breach. In the early stages of litigation — four years on, we’re still in the early stages — plausible allegations are sufficient to move the lawsuit forward.


The 2013 breach was discovered in 2015 when Excellus hired the security firm Mandiant to audit the company’s systems after major healthcare industry data breaches like Anthem’s, which also remains the subject of court battles today. Mandiant found malware but did not find evidence of exfiltration of the data, a fact repeatedly pointed out by Excellus as it argues that data from these plaintiffs could be from anywhere. Crucially, however, Mandiant couldn’t rule out the attacker accessing patient data of up to 15 million individuals and their dependents.

The facts on the Mandiant assessment led the court to dismiss claims about the risk of future identity fraud as too speculative from four particular plaintiffs who have not pointed to any misuse of their own data. The court also partially dismissed the claim that Excellus misrepresented its security because none of the plaintiffs alleged they actually saw or read security and privacy notices by the company prior to purchasing insurance, according to the court.

The surviving claims in the lawsuit are centered on alleged violations of consumer protection laws, violations of the California Customer Records Act and violations of state insurance personal privacy laws.

Excellus BlueCross BlueShield made a $99.5 million profit in 2016, a 71 percent boost since 2015 when the breach was announced.

Read the judge’s full order below:


Latest Podcasts