The Department of Health and Human Services (HHS) Office for Civil Rights has entered into a settlement with the Excellus Health Plan, under which Excellus has agreed to pay $5.1 million and to enter into a corrective action plan. The settlement was prompted by an OCR investigation that found widespread noncompliance with provisions of the HIPAA Privacy and Security Rules. As a result of the noncompliance, the data breach exposed the PHI of over 9.3 million people. Details of the HIPAA data breach are discussed below.
Cyberattack Causes HIPAA Data Breach
Excellus Health Plan is a New York health services corporation that provides health insurance coverage to over 1.5 million people in Upstate and Western New York. In September of 2015, Excellus filed a breach report with OCR, stating that cyber-attackers had gained unauthorized access to its IT systems. In its report, Excellus noted that the breach began in December of 2013, and continued until May of 2015.
During this time, the hackers had free rein over Excellus’ systems, and installed malware allowing it to spy on ePHI. The cyberattackers’ activities ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.
OCR Investigation and the Settlement
OCR’s investigation found that Excellus had likely violated the HIPAA Privacy Rule by failing to prevent unauthorized access to the ePHI stored on Excellus’ IT systems.
OCR’s investigation also found that Excellus had likely violated multiple requirements of the Security Rule, including:
- The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
- The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- The requirement to implement procedures to regularly review records of information systems activity.
- The requirement to implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
OCR fined Excellus $5.1 millon for this large-scale data breach. OCR Director Roger Severino, in announcing the fine, noted: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries. We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”
