Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals.

The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties.

Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015.

The hackers installed malware on its systems, performed reconnaissance, and were found to have accessed the healthcare data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary. The information accessed by the hackers included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR launched an investigation of the breach in June 2016 to determine whether Excellus Health Plan was in compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The investigation identified five standards of the HIPAA Rules where Excellus was potentially noncompliant.

OCR determined the health plan had failed to conduct an accurate and thorough organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) of its members.  Sufficient measures had not been implemented to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and technical policies and procedures that only allow authorized persons and software programs to access systems containing ePHI were insufficient. As a result of these issues, unauthorized individuals gained access to the PHI of 9,358,891 of its members. It took Excellus more than 18 months to discover its systems had been breached. OCR found policies and procedures requiring regular reviews of information system activity to be lacking.

The financial penalty was agreed with OCR to avoid further investigation and formal proceedings, and the settlement was reached with no admission of liability or wrongdoing. In addition to paying the financial penalty, Excellus is required to adopt a corrective action plan that covers all areas of potential noncompliance identified by OCR during the investigation. Excellus will also be monitored closely by OCR for 2 years to ensure continued compliance with the HIPAA Rules.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information.  In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent.  Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

This is the second HIPAA enforcement action to be announced by OCR in 2021. Earlier this month, OCR said a $200,000 settlement had been reached with Banner Health to resolve potential HIPAA Right of Access violations. The Excellus settlement comes just a few hours after the 5th Circuit Court of Appeals vacated a $4.3 million Civil Monetary Penalty imposed by OCR on University of Texas M.D. Anderson Cancer Center that stemmed from three incidents involving the loss/theft of portable devices containing ePHI between 2012 and 2013.

The two HIPAA settlements in January follow on from a record year of HIPAA enforcement that saw 19 financial penalties paid by HIPAA covered entities and business associates to resolve potential violations of HIPAA Rules.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.