Excellus Health Plan entered into a settlement agreement and corrective action plan agreeing to pay $5.1 million for alleged HIPAA breaches. The breach impacted more than 9.3 million people.
Excellus Health Plan filed a breach report with the Department of Health and Human Services in 2015 stating that cyber-hackers gained access to its IT systems. The breach occurred between December 23, 2013 and May 11, 2015. According to the report, the cyber-criminals installed malware and performed reconnaissance activities that resulted in the disclosure of protected health information of more than 9.3 million health plan members. The impermissible disclosures included names, addresses, birthdates, email addresses, Social Security numbers, bank account information, health care claims and treatment information.
When HHS investigated the incident, it determined that Excellus Health Plan potentially violated HIPAA by failing to conduct an enterprise-wide risk analysis and failing to implement risk management, IT system activity review and access controls.
Excellus Health Plan must pay $5.1 million and enter into a corrective action plan.
