Governance & Risk Management , HIPAA/HITECH , Incident & Breach Response

Excellus Health Plan Hit With $5.1 Million HIPAA Settlement

Security Shortcomings Found in Wake of Major Data Breach
Excellus Health Plan Hit With $5.1 Million HIPAA Settlement

The Department of Health and Human Services has slapped insurer Excellus Health Plan with a $5.1 million settlement in the wake of a 2015 breach that affected more than 9.3 million individuals.

See Also: Cyber Insurance Assessment Readiness Checklist

Excellus, which serves upstate and western New York, in September 2015 filed a breach report stating that intruders had gained unauthorized access to its information systems, HHS’ Office for Civil Rights says in a statement Friday.

The Blue Cross Blue Shield health plan reported that the breach began on or before Dec. 23, 2013, and ended on May 11, 2015.

”The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information,” OCR says.

OCR’s investigation found the organization failed to conduct an enterprisewide risk analysis and failed to implement risk management, information system activity review and access controls.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” says OCR Director Roger Severino in the statement. “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries.

“We know that the most dangerous hackers are sophisticated, patient and persistent. Healthcare entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

Corrective Action Plan

In addition to the monetary settlement, Excellus Health Plan must implement a corrective action plan that includes these steps:

  • Conduct a comprehensive risk analysis.
  • Develop an enterprisewide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis.
  • Develop and distribute to the workforce written policies and procedures to address risk management of PHI.

Among those affected by the breach were individuals who are members of other Blue Cross Blue Shield plans who sought treatment in the 31-county upstate New York service area of Excellus.

Excellus Statement

Excellus Health Plan in a statement to Information Security Media Group notes that its settlement agreement with OCR "contains no finding of HIPAA or other violations, nor does the company make any admissions or concessions."

The company adds: "OCR and Excellus have mutually agreed to this settlement to avoid the uncertainty and expense of further investigation and formal proceedings. The corrective action plan is focused on completion of those items already required by OCR’s HIPAA regulations."

Other Actions

The settlement with Excellus is the second HIPAA enforcement action OCR has announced so far in 2021. The first was a $200,000 settlement with Arizona-based integrated healthcare system Appeals Court Vacates $4.3 Million HIPAA Penalty).

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.