Health Insurer Fined $5.1m Over Data Breach

  • An American wellness insurer has agreed to pay $5.1m to the Business for Civil Rights (OCR) at the US Division of Overall health and Human Expert services (HHS) to settle probable violations of the Wellness Coverage Portability and Accountability Act (HIPAA) Privacy and Security Principles.

    The agreement entered into by Excellus Health and fitness Plan, Inc. relates to a data breach that lasted 17 months and impacted in excess of 9.3 million folks.

    Excellus is a New York–based wellness expert services company that provides overall health insurance plan coverage to over 1.5 million folks in upstate and western New York.

    A breach report submitted by Excellus on September 9, 2015, stated that cyber-attackers experienced gained unauthorized obtain to the firm’s details technology units.

    The breach began on or prior to December 23, 2013, and dragged on until May perhaps 11, 2015. Right after gaining entry to the company’s devices, destructive hackers put in malware and executed reconnaissance activities that ultimately resulted in the disclosure of protected well being information and facts (PHI) of more than 9.3 million people today.

    Data exposed in the attack included names, addresses, dates of beginning, email addresses, Social Security figures, lender account information, overall health plan statements, and medical cure data.

    Plans impacted by the breach were being BlueCard Associates BlueCross BlueShield of Central New York BlueCross and BlueShield of the Rochester region BlueCross BlueShield of Utica-Watertown and Excellus BlueCross BlueShield.

    OCR’s investigation into the security incident uncovered likely violations of the HIPAA regulations, including failures to carry out risk administration, facts method exercise evaluate, and entry controls and failure to carry out an company-large risk examination.

    “Hacking proceeds to be the finest menace to the privacy and security of individuals’ health and fitness data. In this case, a well being plan did not stop hackers from roaming inside of its wellbeing history system undetected for in excess of a 12 months, which endangered the privacy of tens of millions of its beneficiaries,” mentioned OCR director Roger Severino.

    “We know that the most hazardous hackers are sophisticated, patient, and persistent. Health treatment entities need to have to phase up their sport to shield the privacy of people’s well being information and facts from this rising menace.”

    In addition to shelling out a sizable monetary settlement, Excellus has agreed to undertake a corrective action plan that contains two a long time of monitoring.