A class action lawsuit claiming negligence and breach of contract was filed Friday against Rochester's largest insurer in the wake of a data breach that potentially exposed personal information of millions of people.
The complaint on behalf of Matthew Fero, Shirley Krenzer and Erin O'Brien names Excellus Health Plan Inc. and Lifetime Healthcare Inc. The complainants are seeking nationwide and New York class status and awards of unspecified damages and legal fees. There is a request for a jury trial.
Fero and Krenzer are current Excellus subscribers. O'Brien was a subscriber until April, according to the suit.
"To the best of my knowledge, this is the first one to be filed," said Hadley Matarazzo, partner with Faraci Lange, who filed the suit in U.S. District Court in Rochester. "Additional ones may be filed."
Asked for a response to the lawsuit, Excellus spokesman Jim Redmond wrote in an email that the company does not comment on litigation.
If the lawsuit is not certified as class action, individuals can proceed on their own, Matarazzo said.
The lawsuit was filed just over a week after Excellus BlueCross BlueShield and parent Lifetime Healthcare Cos. announced a "sophisticated cyberattack" of their information technology system. They said they learned of the breach on August 5th. However, they acknowledged an initial hack in December 2013 that went undiscovered and said it wasn't until a cybersecurity firm was hired as a result of hacks on other insurers that their own breach was detected.
Approximately 10.5 million individuals may have been affected by the data breach, which followed hacks of health insurers elsewhere in the country, notably other Blues plans Anthem and Premera. Excellus has about 1.6 million members, but the breach affects current and former subscribers, patients and others who do business with Excellus and Lifetime Healthcare. Members of other Blues plans who were treated in the 31 counties serviced by Excellus also were affected, which is why the potential number is so high.
The suit claims the company was negligent in maintaining subscriber data, catching the breach and taking the necessary steps to ensure the system was secure and that any breaches were caught in a timely fashion.
Redmond wrote that an investigation has not determined that any data were removed. He wrote the investigation continues and "to date there is no evidence that any data has been used inappropriately." He wrote he could not provide details because of an ongoing FBI investigation.
Excellus and Lifetime are offering two years of credit monitoring and identify theft protection to people affected. But the lawsuit claims that is not enough.
"What we're looking for is whatever we need to do assist the plaintiffs in restoring them back to the situation (before) the breach," Matarazzo said. "We would like protection against identity theft well into the future." She said it's well-known that free monitoring runs out after a relatively short time, so anyone who has stolen information can wait until the protection expires.
Redmond wrote that tens of thousands of those affected have signed up "and the numbers are constantly growing." However, credit monitoring is not available to anyone younger than 18, which Matarazzo said leaves children particularly vulnerable. "Someone can use the identity of the kids because you wouldn't know about it."
Asked about protection for children, Redmond wrote that free identify theft protection is available for members' children until Sept. 9, 2019. He said the child's identity theft protection services include consultation and restoration.