Getty Images

Insurer Pays $5.1M OCR Penalty for Data Breach Involving 9.3M Patients

OCR settled with insurer Excellus Health Plan for $5.1 million and a corrective action plan, to resolve potential HIPAA violations following a 2015 patient data breach.

New York-based Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, agreed to a $5.1 million civil monetary penalty and a corrective action plan with the Office for Civil Rights to resolve possible HIPAA failures found after a 2015 data breach impacting 9.3 million patients.

The Excellus security incident was one of the largest data breaches of 2015. Discovered in August 2015, hackers gained access to the health plan’s network more than 18 months earliers in December 2013.

During that time, the threat actors installed malware into Excellus’ network and conducted reconnaissance. The hackers were also able to access the protected health information of about 7 million Excellus patients and 2.5 million members of its non-BlueCross subsidiary, Lifetime Healthcare.

The compromised data included names, dates of birth, Social Security numbers, contact details, member identification numbers, financial account information, and claims data.

Following the breach report filed on September 9, 2015, OCR launched an investigation and found five potential HIPAA violations.

Specifically, OCR determined Excellus did not conduct an accurate and thorough risk analysis to all vulnerabilities and threats to the confidentiality, integrity, and availability of all ePHI on its network

The health plan was also found to have not implemented the HIPAA-required security measures that could have sufficiently reduced overall network risks to an appropriate level, while failing to prevent the breach of ePHI.

Lastly, OCR found the health did not implement adequate policies and procedures for its electronic information systems that maintained its ePHI to ensure appropriate access controls.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” said OCR Director Roger Severino, in a statement. “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries.

“We know that the most dangerous hackers are sophisticated, patient, and persistent,” he added. “Healthcare entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

In addition to the penalty, Excellus has agreed to implement a corrective action plan that includes two years of monitoring. OCR has required the health plan to conduct a comprehensive risk analysis for all incorporated facilities and electronic equipment.

The risk analysis must be preceded by complete inventory of all equipment, data systems, and applications that store, transmit, or receive ePHI. Excellus must also develop an enterprise risk management plan to address any risks revealed during the analyses.

All workforce members are required to be trained on all new policies and procedures, with routine reports to OCR on the progress of each step of the process.

The Excellus settlement is the second enforcement penalty announced by OCR in 2021 and the first stemming from a PHI breach. Just this week, Banner Health reached a $200,000 settlement with OCR to resolve multiple potential violations of the HIPAA Right of Access regulation.

Next Steps

Dig Deeper on HIPAA compliance and regulation