Excellus will pay $5.1M to OCR after data breach affects 9.3M people

The breach lasted for more than a year and resulted in the disclosure of individuals' names, Social Security numbers and other protected health information.
By Kat Jercich
03:21 PM
People in a darkened room at a computer

The U.S. Department of Health and Human Services Office for Civil Rights announced Friday that Excellus Health Plan, also known as Excellus BlueCrossBlueShield, has agreed to pay $5.1 million to settle potential HIPAA violations.

The potential violations regarded a breach lasting nearly a year and a half that affected over 9.3 million people, said OCR.

"We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat," said OCR Director Roger Severino in a statement.

WHY IT MATTERS

Excellus is a New York-based health insurer that provides insurance coverage to more than 1.5 million people in upstate and western New York. 

In September 2015, Excellus filed a breach report stating that cybercriminals had gained unauthorized access to its IT systems. The attackers had installed malware and conducted snooping activities, ultimately resulting in the disclosure of the protected health information of more than 9.3 million individuals. 

This included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims and clinical treatment information, according to OCR.

In addition, Excellus reported that the breach began on or before December 23, 2013 and ended on May 11, 2015 – about 17 months later. 

OCR’s investigation found potential violations of HIPAA rules, including failures to implement risk management, information system activity review, access controls and a failure to conduct an enterprise-wide risk analysis.

In addition to the monetary settlement, Excellus will undertake a corrective action plan including two years of monitoring.

THE LARGER TREND

Although the Excellus incident occurred more than five years ago, health systems and hospitals have faced a continuing spate of cyberattacks – compounded further by the COVID-19 crisis, increased reliance on telehealth and now the vaccine rollout

Last fall, HHS, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency warned of an "increased and imminent" cyber threat to hospitals and offered basic suggestions for how hospitals and healthcare organizations can shore up their defenses.

ON THE RECORD

"Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said Severino.

 

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich

Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.