The final chapter of the Excellus Health Plan 2015 data breach that affected more than 9.3 million patients nationwide may be in sight. A settlement has been reached between the plaintiffs’ attorneys and the company in the Excellus HIPAA class action lawsuit, pending judicial review.
Basis of Excellus HIPAA Class Action Lawsuit
Attorneys announced the settlement on January 24, 2022, with Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare, and Blue Cross Blue Shield Association (BCBSA).
The lawsuit alleged that the companies did not adequately protect customer information, failed to inform customers of the breach promptly, and provided inadequate information to customers about how to protect themselves from the effects of the violation.
In September 2015, Excellus filed a breach report with the OCR, disclosing that cybercriminals had free access to patient files containing electronic protected health information (ePHI) from December 2013 through May 2015.
Fines Imposed Prior to Excellus HIPAA Class Action Lawsuit
In January 2021, Excellus entered into a settlement agreement with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over the 2015 data breach. Excellus agreed to pay $5.1 million in fines and entered into a corrective action plan with OCR.
Settlement Details of Excellus HIPAA Class Action Lawsuit
The class-action settlement includes a statement declaring that both Excellus and BCBSA deny any wrongdoing, and no court has made a determination of wrongdoing.
Excellus agreed to make the following changes to their business practices:
- Increasing and maintaining a minimum information security budget.
- Developing strategies to ensure records containing PHI are disposed of within one year of the original retention period.
- Making its network more secure related to its tools, processes, and systems for detecting suspicious activity, authenticating users, responding to/containing security incidents, and document retention.
- Engaging in an extensive data archiving program for its databases that maintain PII and PHI
The settlement must still be approved by the judge overseeing the case. A hearing is scheduled for April 13, 2022.
Takeaways from Excellus HIPAA Class Action Lawsuit
The Excellus settlement illustrates that class-action lawsuits following a data breach or cybercrime incident are increasingly becoming the rule instead of the exception.
Additionally, the rate of hacking and ransomware attacks continues to increase at a breakneck pace, and smaller organizations are now the targets of choice.
Having a HIPAA Compliance strategy that addresses the full breadth of the federal law has never been more important. The obvious benefit is that compliance with the regulations shields your business from the fines and reputation damage associated with violating the law.
The hidden benefits of HIPAA compliance:
- a culture of compliance that can better protect the protected health information you hold;
- a commitment to privacy and security controls;
- an efficient workplace that yields satisfied clients; and
- a more robust bottom line.
Compliancy Group has a simple, effective solution for businesses of all sizes that leverages industry-leading software with dedicated, individualized coaching to get your team fully compliant. You also gain access to our network of business associates who share your commitment to compliance when you recognize that you need to do more.
Read more about the settlements here: Class Action Settlement, OCR Settlement
