A settlement has been reached in a class-action lawsuit against Excellus Blue Cross Blue Shield over a data breach.

The breach happened between 2013 and 2015 and impacted tens of millions of people. It was discovered on August 5, 2015.

On Monday, attorneys announced that the settlement had been reached with Excellus, Lifetime Healthcare Inc., Lifetime Benefit Solutions Inc., Genesee Region Home Care Association Inc., MedAmerica Inc., Univera Healthcare and Blue Cross Blue Shield Association. According to the lawsuit, the companies were alleged to have failed to protect customer information, waited too long to inform customers about the breach and did not give customers adequate information about how to protect themselves after the breach.

The Excellus companies and the Blue Cross Blue Shield Association deny any wrongdoing, maintaining no court has made a determination that the defendants have done anything wrong, a statement in the agreement notes.

Under the agreement, the following business-practice changes are required to be made:

  • Increasing and maintaining a minimum information security budget
  • Developing a strategy to ensure records containing personally identifiable information (PII) or personal health information (PHI) are disposed of within one year of the original retention period
  • Making its network more secure related to its tools, processes and systems for detecting suspicious activity, authenticating users, responding to/containing security incidents, and document retention
  • Engaging in an extensive data archiving program with respect to its databases that maintain PII and PHI

The plaintiffs were represented by attorneys at Faraci Lange LLP, Weitz & Luxenberg, Gibbs Law Group LLP and Cohen & Malad LLP.

“We are pleased to reach this settlement on behalf of our clients, whose personal information may have been compromised as a result of this data breach,” said Hadley Lundback Matarazzo, partner, Faraci Lange LLP and co-lead counsel in the Excellus class action litigation. “According to this agreement, Excellus must make business-practice changes to better safeguard customer information in the future.”

A judge still has to approve the settlement. That hearing is scheduled to happen on April 13.

More information about the settlement can be found on the Faraci Lange website and in legal documents.