An American health insurer has agreed to pay $5.1m to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) to settle potential violations of the insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
The agreement entered into by Excellus Health Plan, Inc. relates to a knowledge breach that lasted 17 months and affected over 9.3 million people.
Excellus may be a New York–based health services corporation that gives insurance coverage to over 1.5 million people in upstate and western ny .
A breach report filed by Excellus on September 9, 2015, stated that cyber-attackers had gained unauthorized access to the company’s information technology systems.
The breach began on or before December 23, 2013, and dragged on until May 11, 2015. After gaining entry to the company’s systems, malicious hackers installed malware and conducted reconnaissance activities that ultimately resulted within the disclosure of protected health information (PHI) of quite 9.3 million individuals.
Information exposed within the attack included names, addresses, dates of birth, email addresses, Social Security numbers, checking account information, health plan claims, and clinical treatment information.
Plans suffering from the breach were BlueCard Members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester area; BlueCross BlueShield of Utica-Watertown; and Excellus BlueCross BlueShield.
OCR’s investigation into the safety incident found potential violations of the HIPAA rules, including failures to implement risk management, data system activity review, and access controls and failure to conduct an enterprise-wide risk analysis.
“Hacking continues to be the best threat to the privacy and security of individuals’ health information. In this case, a health plan didn’t stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of many of its beneficiaries,” said OCR director Roger Severino.
“We know that the foremost dangerous hackers are sophisticated, patient, and protracted . Health care entities got to intensify their game to guard the privacy of people’s health information from this growing threat.”
In addition to paying a large monetary settlement, Excellus has agreed to undertake a corrective action plan that has two years of monitoring.