Popular American health insurer Excellus Health Plan has agreed to pay a penalty of $5.1 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to settle a data breach that occurred in 2015. Excellus has been penalized for potentially violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.
Though Excellus discovered the data breach in 2015, it began before December 2013. Attackers illicitly gained access to Excellus computer systems and compromised more than 9.3 million individuals’ Protected Health Information (PHI). The data breach, which lasted over 17 months, exposed consumer details like names, addresses, social security numbers, health plan claims, bank account information, and other sensitive information.
Excellus Violated HIPAA
As per the OCR investigation, Excellus violated the HIPAA Act by failing to perform an enterprise-wide risk analysis, implement risk management service, and protect customers’ sensitive information.
“The settlement agreement contains no finding of HIPAA or other violations, nor does the company make any admissions or concessions. The civil rights office started its investigation in 2016, and there are no new factual findings regarding the attack as a result of the OCR inquiry,” said Excellus spokesman Jim Redmond.
“We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat,” said OCR Director Roger Severino.
Biggest HIPAA Fine So Far
In one of the biggest HIPAA fines imposed by OCR in 2019, Jackson Health Systems, Florida, was charged $2.15 million on account of multiple HIPAA violation instances. With the intent of identity theft, an employee of Jackson Health Systems leaked and sold around 2,000 PHI patient records. Read more…