Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. OCR enters into $5 1 million settlement with a health plan following large and lengthy data breach

      Articles

    Article

    OCR enters into $5 1 million settlement with a health plan following large and lengthy data breach

    Feb 1, 2021

    LinkedInX (Twitter)EmailCopy URL

    By Valerie Montague

    Enforcement action serves as a reminder to health plans, as well as health care providers and business associate vendors, to implement security protections on an enterprise-wide level.

    Following a data breach that began in 2013, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently entered into a settlement with Excellus Health Plan, Inc. (“Excellus”), resulting in a payment of $5.1 million and a corrective action plan.

    In 2015, Excellus, a health insurer providing coverage to individuals in New York, reported a HIPAA breach to OCR that impacted over 9.3 million individuals. The incident involved a cyberattack whereby hackers gained unauthorized access to Excellus’ information technology systems. Over a period of approximately a year and a half, the hackers used malware and took other actions to impermissibly access protected health information. In addition to demographic and treatment information, the hackers accessed individuals’ Social Security numbers and bank account information.

    In its investigation of the breach, OCR discovered a number of potential HIPAA violations, including the failure to implement policies and procedures to provide access to information systems only to those with proper access rights, as required under the HIPAA Security Rule. The investigation also found that Excellus failed to implement procedures to regularly review its information system activity. Finally, OCR determined that Excellus failed to conduct an adequate and thorough risk analysis of the potential risks and vulnerabilities to its electronic protected health information and did not implement security measures to reduce identified risks and vulnerabilities.

    Although the financial settlement is a large dollar amount, a number of factors likely impacted that penalty, including the high number of impacted individuals and the fact that the breach involved information with a higher degree of sensitivity, such as Social Security numbers and bank account information. In addition, the fact that the hackers reportedly had access to the Excellus system for such a long period likely played into the financial settlement amount.

    This settlement serves as an important reminder to entities regulated under HIPAA of the importance of not only conducting a robust, enterprise-wide security risk analysis, but also the importance of taking steps to lessen or eliminate identified risks. The issues identified by OCR focus on implementation; health plans, health care providers, and their business associate vendors must take action to limit access to electronic systems that maintain protected health information, and they must continuously monitor system activity.

    Practices

    Cybersecurity & PrivacyHealthcare
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved