Jump to content

Health Insurer Fined $5.1m Over Data Breach


Recommended Posts

Health Insurer Fined $5.1m Over Data Breach




An American health insurer has agreed to pay $5.1m to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.


The agreement entered into by Excellus Health Plan, Inc. relates to a data breach that lasted 17 months and affected over 9.3 million people. 


Excellus is a New York–based health services corporation that provides health insurance coverage to over 1.5 million people in upstate and western New York.


A breach report filed by Excellus on September 9, 2015, stated that cyber-attackers had gained unauthorized access to the company's information technology systems.  


The breach began on or before December 23, 2013, and dragged on until May 11, 2015. After gaining entry to the company's systems, malicious hackers installed malware and conducted reconnaissance activities that ultimately resulted in the disclosure of protected health information (PHI) of more than 9.3 million individuals.


Information exposed in the attack included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.


Plans affected by the breach were BlueCard Members; BlueCross BlueShield of Central New York; BlueCross and BlueShield of the Rochester area; BlueCross BlueShield of Utica-Watertown; and Excellus BlueCross BlueShield.


OCR’s investigation into the security incident found potential violations of the HIPAA rules, including failures to implement risk management, information system activity review, and access controls and failure to conduct an enterprise-wide risk analysis.


“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said OCR director Roger Severino. 


“We know that the most dangerous hackers are sophisticated, patient, and persistent.  Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”


In addition to paying a sizable monetary settlement, Excellus has agreed to undertake a corrective action plan that includes two years of monitoring.



Source: Health Insurer Fined $5.1m Over Data Breach

Link to comment
Share on other sites

  • Replies 0
  • Views 153
  • Created
  • Last Reply

Top Posters In This Topic

  • mood


Popular Days

Top Posters In This Topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...