UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF NEW YORK EXCELLUS DATA BREACH SETTLEMENT NOTICE
This is a Court approved legal Notice. This is not an advertisement.
Settlement Website: https://excellusdatabreachclassaction.com/
A Settlement has been reached with Excellus Health Plan Inc. (“Excellus”), Lifetime Healthcare, Inc., Lifetime Benefit Solutions, Inc., Genesee Region Home Care Association, Inc. d/b/a Lifetime Care, MedAmerica, Inc., and Univera Healthcare (collectively, the “Excellus Defendants”) and Blue Cross Blue Shield Association (“BCBSA”) in a class action lawsuit arising from a Cyberattack affecting Excellus’s computer network that was discovered on August 5, 2015 (“Cyberattack”) and led to a data breach. If you are an individual in the United States whose Personally Identifiable Information (PII) and/or Personal Health Information (PHI) was stored in Excellus’s systems between December 23, 2013 and May 11, 2015, who (1) is included in Excellus’s list of Impacted Individuals and (2) whose PII and/or PHI currently resides in Excellus’s systems, you are a Class Member. The Excellus Defendants and BCBSA deny any wrongdoing, and no court has made a determination that the Excellus Defendants and BCBSA have done anything wrong. Instead, both sides agreed to a settlement. Under the terms of the settlement, Excellus is required to make changes to or enhance a number of business practices related to safeguarding the PHI and/or PII of its subscribers and insureds for three years after the settlement is final or two years after each item below is fully implemented.
Excellus has also agreed to provide certain information to confirm implementation of the agreed upon changes. Because disclosing the specifics of these changes have the potential to create a security risk, only a summary is provided below.
- Information Security Budget. Excellus will increase and maintain a minimum information security budget and any amounts not allocated to information in a given year will be rolled over to the subsequent year and must be spent on information security.
- Document Destruction Mechanism. Within 12 months of the settlement becoming final, Excellus will develop a strategy, and engage vendor(s) as appropriate, to ensure Records containing PII or PHI are disposed of within one year of the original retention period as set forth in Excellus’s document retention policy. Within 24 months of the settlement becoming final, Excellus will make good faith efforts to effectuate the enforcement mechanism and will report on this progress.
- Specific Security Measures. Excellus will take several specific steps to make its network more secure related to its tools, processes and systems for detecting suspicious activity, authenticating users, responding to and containing security incidents and document retention. The specific details of these security enhancements cannot be shared due to the potential security risk disclosure could pose.
- Office of Civil Rights Documentation. Excellus provided Plaintiffs’ counsel with copies of all submissions to the Office of Civil Rights (OCR) pursuant to the Resolution Agreement and Corrective Action Plan, which came about as a result of an investigation conducted by OCR, not including any exchange of financial information between the OCR and Excellus and redacted as to settlement amounts. You can see the Resolution Agreement and Corrective Action plan at https://www.hhs.gov/sites/default/files/excellus-ra-cap.pdf.
- Data Archiving Project. Excellus has represented it has engaged in an extensive data archiving program following the cybersecurity incident, including with respect to its databases that maintain PII and PHI. Excellus agrees to provide Plaintiffs’ counsel with confirmatory discovery regarding these archiving projects so that plaintiffs can confirm the extent, scope and thoroughness of this archiving project.
- Annual Declaration. For three years after the Settlement, Excellus will provide Plaintiffs’ counsel with an annual declaration attesting to its compliance with each of the foregoing items, and, to the extent Excellus has not complied with any of the foregoing items, an explanation of the deficiency and proposed steps to remedy the non-compliance. In exchange for the above business practice changes and information exchange, Class Members will release any and all claims for injunctive and declaratory relief they may have against the Excellus Defendants and BCBSA. Class Members will not release any claims against Excellus Defendants and BCBSA for monetary damages. The Court overseeing this case still has to decide whether to approve the Settlement. Note that your legal right are affected even if you do nothing. Please read this document carefully.
YOUR LEGAL RIGHTS AND OPTIONS IN THIS SETTLEMENT
Object or Comment on the Settlement
You may object to the Settlement by writing to the Court, Class Counsel and defense counsel and informing why you do not think the settlement should be approved. For detailed information on how to object to the Settlement, see the section titled “Objecting to the Settlement” below. The deadline for objecting to the Settlement is Friday, March 11, 2022. You may, but are not required to, attend the Final Approval Hearing where the Court may hear arguments concerning approval of the Settlement. If you wish to attend and speak at the Final Approval Hearing, you must make the request to do so in your written objection no later than the deadline. The Court will conduct the Final Approval Hearing using the Zoom for Government platform on Wednesday, April 13, 2022 at 1 p.m. Directions for accessing the Final Approval Hearing may be obtained by contacting Hon. Elizabeth A. Wolford’s chambers at email@example.com or 585-613-4320 for instructions.
If you do nothing, and the Settlement is approved, you will not be able to sue the Excellus Defendants or BCBSA for claims for injunctive relief related to the data breach from the Cyberattack. This Settlement will not affect your rights to sue Excellus or BCBSA for monetary damages.
What is the purpose of this document?
A Court authorized this document to inform you about a proposed Settlement that may affect your rights related to injunctive and declaratory relief. This document explains the nature of the case, the general terms of the proposed Settlement, and how it may affect you. The Settlement will not affect your rights to sue the Excellus Defendants and BCBSA for monetary damages.
What is this case about?
On September 9, 2015, Excellus announced it had been the subject of a cyberattack resulting in the compromise of the PII and PHI of its members, subscribers, insureds, patients and customers. The cyberattack affected more than 10 million individuals. The case was brought against the Excellus Defendants and BCBSA on behalf of all affected individuals, based on plaintiffs’ claim that the Excellus Defendants and BCBSA failed to adequately protect its members, subscribers, insureds, patients and customers PII and PHI. Plaintiffs originally sought on behalf of the class both monetary damages and injunctive relief requiring the Excellus Defendants and BCBSA to change its information security practices. Although the Court concluded that classes seeking damages could not be certified for several legal reasons, the Court certified a class for injunctive relief. The Excellus Defendants and BCBSA deny any wrongdoing, and no court has made any judgment or other determination that the Excellus Defendants or BCBSA have done anything wrong. The current complaint filed in this case, which describes the legal claims alleged by plaintiffs, the alleged facts giving rise to the lawsuit, and the relief sought is available at https://excellusdatabreachclassaction.com/courtdocuments/.
What is a class action?
A class action is a case brought by an individual or individuals known as class representatives who act on behalf of a larger group of affected person or class. Even if you have not filed your own case regarding the Cyberattack, you will benefit from the commitments provided by this Settlement because the case is proceeding as a class action. In November 2020, the U.S. District Court for the Western District of New York determined that it could not certify the case as a class action for damages for legal reasons. However, the Court certified a class for purposes of seeking injunctive relief. The Court appointed plaintiffs as class representatives to represent not only their personal interests, but the interests of all members of the class. These class representatives remain “Class Representatives” for the Settlement.
Why is there a settlement?
Settlements avoid the costs and uncertainty of a trial and related appeals while providing benefits to Class Members when the Settlement becomes final. The Court has not decided the case in favor of any party. Instead, both sides have agreed to a settlement. The Class Representatives, who represent the interests of all Class Members and the attorneys for the Class (“Class Counsel”) believe the Settlement is in the best interests of Class Members.
How do I know if I am part of the Settlement?
You are a Class Member, and you are affected by this Settlement, if you are an individual in the United States whose Personally Identifiable Information (PII) and/or Personal Health Information (PHI) was stored in Excellus Health Plans, Inc.’s systems between December 23, 2013 and May 11, 2015, who (1) are included in Excellus’s list of Impacted Individuals and (2) whose PII and/or PHI currently resides in Excellus’ systems you are a Class Member.
Do I have a lawyer in this case?
Yes. The Court appointed as “Class Counsel” Hadley Lundback Matarazzo of Faraci Lange, LLP, James J. Bilsborrow of Seeger Weiss, Eric H. Gibbs of Gibbs Law Group and Lynn A. Toops of Cohen & Malad. If you want to be represented by your own lawyer, you may hire one at your own expense. Class Counsel’s contact information is as follows:
Hadley Lundback Matarazzo
Faraci Lange, LLP
28 E. Main Street, Suite 1100
Rochester, New York 14614
James J. Bilsborrow
Seeger Weiss LLP
55 Challenger Road
Ridgefield Park, New Jersey 07660
Eric H. Gibbs
Gibbs Law Group LLP
505 14th Street, Suite 1110
Oakland, California 94612
Executive Committee Member
Lynn A. Toops
Cohen & Malad, LLP
One Indiana Square, Suite 1400
Indianapolis, Indiana 46204
Executive Committee Member
How will Class Counsel be paid?
Class Counsel will make an application for reasonable attorneys’ fees, costs and expenses, which must be approved by the Court before they are paid. Class Counsel will also ask the Court to approve Service Awards of up to $7,500 per Class Representative to compensate each Class Representative. The Court will decide the amount of attorneys’ fees, costs and expenses, and the amount of any Service Awards to be awarded. The Excellus Defendants and BCBSA have not agreed to any specific amounts. Any attorneys’ fees, costs and expenses or Service Awards awarded will be paid by Excellus. Class Counsel intends to a request a fee of no more than $ 3,600,000.00 and to be reimbursed expenses of no more than $700,000.00. Class Counsel’s application for an award of attorneys’ fees, costs and expenses is due Friday, February 11, 2022 (30 days before Objection Deadline). This application will be made available on the Settlement Website at https://excellusdatabreachclassaction.com/ before the deadline to object to the Settlement. The Excellus Defendants and BCBSA will not be opposing the application.
BENEFITS FOR CLASS MEMBERS
The Settlement provides a number of security commitments by Excellus designed to prevent future cyberattacks similar to the one that was discovered on August 5, 2015. These benefits are discussed at the beginning of this Notice.
LEGAL RIGHTS RESOLVED THROUGH SETTLEMENT
How does the Settlement affect my rights?
If the Settlement becomes final, you will release all claims for declaratory or injunctive relief against the Excellus Defendants and BCBSA related to the Cyberattack. You will no longer have any right to file a lawsuit against the Excellus Defendants or BCBSA seeking a declaratory judgment or injunction related to the Cyberattack – whether or not you are currently aware of any such claims. This Settlement does not release any claims you have against the Excellus Defendants or BCBSA for money damages related to the Cyberattack and data breach. All of the Court’s orders will apply to you and legally bind you. You can access the Settlement Agreement and read the specific details of the legal claims being released at https://excellusdatabreachclassaction.com/.
OBJECTING TO THE SETTLEMENT
You can object to the Settlement, Class Counsel’s request for attorneys’ fees, costs and expenses and/or the request for Service Awards for Class Representatives. You object to the Settlement when you disagree with some aspect of the Settlement and think the Court should not give Final Approval to the Settlement. An Objection allows your views to be heard by the Court. Filing an Objection means you are asking the Court to deny approval to the Settlement, Class Counsel’s request for fees, costs and expenses, and/or the Class Representatives’ request for Service Awards. You cannot ask the Court to order a different settlement—it can only approve or deny the Settlement that has been reached. If the Court denies approval of the Settlement, the case will continue. If that is what you want to happen, you may state that in an Objection.
If you choose to make an Objection, it must be in writing and contain the following:
(i) the objector’s full name, address, telephone number, and e-mail address (if any);
(ii) information identifying the objector as a Class Member, including proof that the objector is a member of the Class (e.g., copy of original notice of the Cyberattack );
(iii) a written statement of all grounds for the objection, accompanied by any legal support for the objection the objector believes applicable;
(iv) the identity of all counsel representing the objector, if any;
(v) the identity of all counsel representing the objector who will appear at the Final Fairness Hearing, if any;
(vi) a list of all persons who will be called to testify at the Final Fairness Hearing in support of the objection, if any;
(vii) a statement confirming whether the objector intends to personally appear and/or testify at the Final Fairness Hearing;
(viii) the objector’s signature and the signature of the objector’s duly authorized attorney or other duly authorized representative (along with documentation setting forth such representation), if any;
(ix) a list, by case name, court, and docket number, of all other cases in which the objector (directly or through counsel) has filed an objection to any proposed class action settlement within the last 3 years;
(x) a list, by case name, court, and docket number, of all other cases in which the objector’s counsel (on behalf of any person or entity) has filed an objection to any proposed class action settlement within the last three (3) years; and
(xi) a list, by case name, court, and docket number, of all other cases in which the object or has been a named plaintiff in any class action or served as a lead plaintiff or class representative. To be heard by the Court, the Objection must be filed with the Clerk of the Court for the Western District of New York in Rochester, New York no later than March 11, 2022 (60 days after the Preliminary Approval Date) and must be sent by that date to the following:
Hadley Lundback Matarazzo
Faraci Lange, LLP
28 E. Main Street, Suite 1100
Rochester, New York 14614
David A. Carney
Baker & Hostetler LLP
127 Public Square, Suite 2000
Cleveland, Ohio 44114
Counsel for the Excellus Defendants
Kirkland & Ellis LLP
300 North LaSalle
Chicago, Illinois 60654
Counsel for BCBSA
Can I exclude myself from the Settlement?
No, under Federal Rule of Civil Procedure 23(b)(2) and the applicable law, it is not possible to opt out of the Settlement.
FINAL APPROVAL HEARING
When and where will the Court decide whether to approve the Settlement?
The Court will hold the Final Approval Hearing at 1 p.m. on Wednesday April 13, 2022 using the Zoom for Government platform. If the date or time of the Final Approval Hearing changes, an update will be posted to https://excellusdatabreachclassaction.com/. Directions for accessing the Final Approval Hearing may be obtained by contacting Hon. Elizabeth A. Wolford’s chambers at firstname.lastname@example.org or 585-613-4320 for instructions. At the Final Approval Hearing, the Court will consider whether the Settlement is fair, reasonable and adequate. If there are Objections, the Court will consider them. The Court may listen to people who appear at the hearing and who have provided notice of their intent to appear at the hearing (see section titled “Objecting to the Settlement” above). The Court may also consider any application by Class Counsel for attorneys’ fees, costs and expenses, as well as Service Awards for the Class Representatives. Any motions for attorneys’ fees, costs and expenses will be posted on https://excellusdatabreachclassaction.com/ after they are filed, and not later than 30 days after entry of the Court’s Preliminary Approval Order, if the Court grants Preliminary Approval. At or after the hearing, the Court will decide whether to approve the Settlement.
Do I have to attend the hearing?
No. Class Counsel will answer any questions the Court may have. You may attend at your own expense if you wish. If you submit a written objection, you do not have to come to the Court to talk about it. As long as you submit your written objection on time, that is sufficient for the Court to consider it. You may also pay your own lawyer to attend, but it is not required. If the Court conducts the hearing by videoconference, you may appear by videoconference.
May I speak at the hearing?
At the hearing, the Court, at its discretion, will hear any Objections and arguments concerning the fairness of the Settlement. You may attend, but you do not have to. As described above in the section titled “Objecting to the Settlement”, you may speak at the Final Approval Hearing if you have timely filed your Objection with all the required information, stated in your Objection that you are appearing in person and the Court grants you permission to be heard.
If you do nothing, and the Settlement is approved, you will not be eligible to sue the Excellus Defendants and BCBSA for claims for injunctive and declaratory relief related to the Cyberattack. The Settlement will not affect your rights to sue the Excellus Defendants and BCBSA for monetary damages.
GETTING MORE INFORMATION
This Notice summarizes the proposed Settlement. More details are in the Settlement Agreement itself. You can get a copy of the Settlement Agreement, view other case documents and get additional information and updates by visiting https://excellusdatabreachclassaction.com/. All of the case document that have been filed publicly in this case are also available online through the Court’s Public Access to Court Electronic Records (PACER) system at https://ecf.nywd.uscourts.gov/cgi-bin/ShowIndex.pl. This case is called Fero, et al. v. Excellus Health Plan, Inc., et al., and the case number is 6:15-cv-06569. You may obtain case documents by visiting the office of the Clerk of the Court for United States District Court for the Western District of New York, Rochester Division, between 9:00 a.m. and 4:00 p.m., Monday through Friday, excluding Court holidays. Due to COVID-19, please check the Court’s website in the event there are any operational changes at https://www.nywd.uscourts.gov/clerks-office-0.
PLEASE DO NOT TELEPHONE THE COURT OR THE COURT CLERK’S OFFICE TO INQUIRE ABOUT THE SETTLEMENT OR THE CLAIMS PROCESS.