Patrick O’Neill reports the latest litigation update involving Excellus, whose breach was covered on this site in 2015:
Four years after Excellus BlueCross BlueShield was hacked and more than 10 million members had their data exposed, the insurer remains on the defensive in class action lawsuits claiming it ignored cybersecurity at peril of its own members.
Excellus failed last week in an attempt to win dismissal of a suit after arguing unsuccessfully that the data stolen and used against the victims could plausibly have come from any hack anywhere.
Read more on CyberScoop.
While I understand the court’s reasoning, the problem is that Excellus may be right – with so many mega-hacks between 2013-2015, the data could have come from another hack. If a plaintiff could show an unusual name or address spelling involved in the fraud that only linked to their Excellus account, that might help prove that the Excellus breach was related to the fraud they experienced, but absent that kind of thing, it really could be hard to know which breach resulted in any one person’s harm or injury, assuming that there even was any concrete harm or injury that plaintiffs experienced.
Interestingly, I just checked HHS’s site and it appears that OCR has not closed their investigation into this incident, so Excellus is not out of the woods with OCR, either, at this point.