Excellus Health Plan Hit With $5.1 Million HIPAA SettlementSecurity Shortcomings Found in Wake of Major Data Breach
The Department of Health and Human Services has slapped insurer Excellus Health Plan with a $5.1 million settlement in the wake of a 2015 breach that affected more than 9.3 million individuals.
Excellus, which serves upstate and western New York, in September 2015 filed a breach report stating that intruders had gained unauthorized access to its information systems, HHS’ Office for Civil Rights says in a statement Friday.
The Blue Cross Blue Shield health plan reported that the breach began on or before Dec. 23, 2013, and ended on May 11, 2015.
”The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information,” OCR says.
OCR’s investigation found the organization failed to conduct an enterprisewide risk analysis and failed to implement risk management, information system activity review and access controls.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” says OCR Director Roger Severino in the statement. “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries.
“We know that the most dangerous hackers are sophisticated, patient and persistent. Healthcare entities need to step up their game to protect the privacy of people’s health information from this growing threat.”
Corrective Action Plan
In addition to the monetary settlement, Excellus Health Plan must implement a corrective action plan that includes these steps:
- Conduct a comprehensive risk analysis.
- Develop an enterprisewide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis.
- Develop and distribute to the workforce written policies and procedures to address risk management of PHI.
Among those affected by the breach were individuals who are members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus.
Excellus Health Plan in a statement to Information Security Media Group notes that its settlement agreement with OCR "contains no finding of HIPAA or other violations, nor does the company make any admissions or concessions."
The company adds: "OCR and Excellus have mutually agreed to this settlement to avoid the uncertainty and expense of further investigation and formal proceedings. The corrective action plan is focused on completion of those items already required by OCR’s HIPAA regulations."
The settlement with Excellus is the second HIPAA enforcement action OCR has announced so far in 2021. The first was a $200,000 settlement with Arizona-based integrated healthcare system Appeals Court Vacates $4.3 Million HIPAA Penalty).