Excellus Health Plan Pays $5.1 Million Penalty to Settle HIPAA Violation Case

The Department of Health and Human Services’ Office for Civil Rights has reported that health insurance provider Excellus Health Plan has consented to pay a $5.1 million fine to resolve its HIPAA violation case arising from a data breach that impacted 9.3 million people in 2015.

Excellus Health Plan discovered the breach in 2015. The large-scale data breaches associated with health insurance providers Anthem Inc. (78.8 million breached records) and Premera Blue Cross (10.6 million breached records) were discovered that year. The three companies have already resolved the breach investigations and paid OCR sizeable financial penalties.

Excellus Health Plan, dba Excellus BlueCross BlueShield and Univera Healthcare operates in Western and Upstate New York. In August 2015, the health insurance provider uncovered hackers had acquired access to its computer programs. The breach investigation showed that the hackers first accessed its systems around December 23, 2013 up to May 11, 2015. Excellus reported the breach to OCR on September 9, 2015.

The hackers infected its systems with malware, conducted reconnaissance, and accessed the healthcare information of about 7 million members of Excellus Health Plan and roughly 2.5 million members of Lifetime Healthcare, a non-BlueCross subsidiary. The hackers accessed information such as names, contact details, birth dates, health plan ID numbers, Social Security numbers, claims information, financial account data, and clinical treatment details.

OCR began investigating the Excellus breach in June 2016 to find out if Excellus Health Plan complied with the HIPAA Security, Privacy, and Breach Notification Guidelines. The investigation discovered five requirements of the HIPAA Rules that Excellus likely failed to comply.

OCR confirmed the health plan did not perform a correct and comprehensive company-wide risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of its members’ electronic protected health information (ePHI). There were not enough measures enforced to minimize risks and vulnerabilities to ePHI to a good and acceptable level, nor technical policies and procedures that made it possible for authorized individuals and applications to access systems that contain ePHI. Because of these problems, unauthorized people acquired access to the PHI of 9,358,891 members. Excellus only discovered the breach after over 18 months. OCR discovered the lack of policies and procedures necessitating routine checks of data system activity.

Excellus Health Plan agreed to pay the financial penalty to end the further investigation and official proceedings without admission of liability. Aside from paying the financial charges, Excellus followed a corrective action plan that addresses all aspects of potential noncompliance determined by OCR in the course of the investigation. Excellus will be under OCR’s monitoring for 2 years to make sure continued HIPAA compliance.

Hacking is still the biggest threat to the security and privacy of PHI. In this instance, the health plan failed to stop hackers from accessing its health record system and did not detect them for over a year which compromised the privacy of millions of people. Hackers are innovative and persistent, so health care organizations should step up to safeguard the privacy of health data from hackers.

This is OCR’s second HIPAA enforcement action in 2021. The first was the $200,000 settlement with Banner Health to take care of potential HIPAA Right of Access violations.