An American health insurer has agreed to pay $5.1m to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Excellus is a New York–based health services corporation that provides health insurance coverage to over 1.5 million people in upstate and western New York.
A breach report filed by Excellus on September 9, 2015, stated that cyber-attackers had gained unauthorized access to the company’s information technology systems.
The breach began on or before December 23, 2013, and dragged on until May 11, 2015. After gaining entry to the company’s systems, malicious hackers installed malware and conducted reconnaissance activities that ultimately resulted in the disclosure of protected health information (PHI) of more than 9.3 million individuals.
Information exposed in the attack included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.
Plans affected by the breach were BlueCard Members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester area; BlueCross BlueShield of Utica-Watertown; and Excellus BlueCross BlueShield.
OCR’s investigation into the security incident found potential violations of the HIPAA rules, including failures to implement risk management, information system activity review, and access controls and failure to conduct an enterprise-wide risk analysis.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said OCR director Roger Severino.
“We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”
In addition to paying a sizable monetary settlement, Excellus has agreed to undertake a corrective action plan that includes two years of monitoring.