$5.1m HIPAA Settlement Agreed by PenaltyExcellus Health Plan


Health insurer provider Excellus Health Plan has agreed to pay a $5.1m penalty with the Department of Health and Human Services’ Office for Civil Rights OCR in order to settle a HIPAA breach arising from a 2015 data breach that impacted 9.3m people.

In 2015 the breach was identified by Excellus, the group that operates as Excellus BlueCross BlueShield and Univera Healthcare to provide insurance  in upstate and western New York. It was noticed during August 2015 that cybercriminals had infiltrated their computer databases. The breach investigation uncovered that access to the databases had taken place initially December 23, 2013 and continued until May 11, 2015. The breach was made known to OCR on September 9, 2015.

The hackers placed malware on its systems, carried out reconnaissance, and were discovered to have viewed the healthcare data of around 7 million Excellus Health Plan members and approximately 2.5 million subscribers to Lifetime Healthcare, its non-BlueCross entity. The data accessed by the hackers incorporated names, contact information, dates of birth, Social Security numbers, health plan ID details, claims data, financial account info, and clinical treatment particulars.

OCR kicked off an investigation of the breach in June 2016 to see if Excellus Health Plan was fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The investigation listed five standards of the HIPAA Rules which Excellus may have breached.

OCR found that the health plan had failed to complete an accurate and thorough organization-wide risk analysis to identify risks and flaws with the confidentiality, integrity, and availability of the electronic protected health information (ePHI) of its members.  Adequate measures had not been put in place to reduce risks and vulnerabilities to ePHI to a reasonable and proper level, and technical policies and processes that only allow authorized persons and software programs to access systems including ePHI were insufficient. As a result of these issues, unauthorized individuals obtained access to the PHI of 9,358,891 of its members. It took Excellus more than 18 months to notice that its databases had been infiltrated. OCR found policies and procedures requiring regular reviews of information system activity to be non-existent.

The financial penalty was agreed with OCR to avoid a further in-depth review and official proceedings, and the settlement was reached with no admission of liability or wrongdoing. Along with  paying the fine, Excellus is obligated to carry out the implementation of corrective measures that covers all areas of potential noncompliance identified by OCR throughout the investigation. Excellus will also be policed closely by OCR for 2 years to ensure ongoing compliance with the HIPAA Rules.

OCR Director Roger Severino commented: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information.  In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,. We know that the most dangerous hackers are sophisticated, patient, and persistent.  Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”