HHS Announces $5.1M Settlement with Excellus After Health Information Breach

On Friday, the Department of Health and Human Services announced in a news release that New York health insurer Excellus Health Plan Inc. will pay HHS’s Office for Civil Rights (OCR) $5.1 million and will enact a corrective action plan after a breach of Excellus’ information technology systems that affected the health records of more than 9.3 million people.

On Sept. 9, 2015, Excellus reported the years-long breach — reportedly taking place from Dec. 23, 2013, until May 11, 2015 — that involved hackers installing malware resulting in the leak of “names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information” of the 9.3 million individuals, according to the HHS news release.

After investigating, OCR found potential Health Insurance Portability and Accountability Act (HIPAA) violations, including “failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls,” according to the news release.

Along with providing monetary relief, Excellus also will implement a corrective action plan as part of the terms of the agreement. The elements of the plan include conducting a risk analysis of “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” in Excellus’ record systems and developing a risk management plan that would “mitigate any security risks and vulnerabilities” found through the risk analysis, according to the agreement.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” OCR Director Roger Severino said in the news release.