Following a data breach that began in 2013, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently entered into a settlement with Excellus Health Plan, Inc. (“Excellus”), resulting in a payment of $5.1 million and a corrective action plan.
In 2015, Excellus, a health insurer providing coverage to individuals in New York, reported a HIPAA breach to OCR that impacted over 9.3 million individuals. The incident involved a cyberattack whereby hackers gained unauthorized access to Excellus’ information technology systems. Over a period of approximately a year and a half, the hackers used malware and took other actions to impermissibly access protected health information. In addition to demographic and treatment information, the hackers accessed individuals’ Social Security numbers and bank account information.
In its investigation of the breach, OCR discovered a number of potential HIPAA violations, including the failure to implement policies and procedures to provide access to information systems only to those with proper access rights, as required under the HIPAA Security Rule. The investigation also found that Excellus failed to implement procedures to regularly review its information system activity. Finally, OCR determined that Excellus failed to conduct an adequate and thorough risk analysis of the potential risks and vulnerabilities to its electronic protected health information and did not implement security measures to reduce identified risks and vulnerabilities.
Although the financial settlement is a large dollar amount, a number of factors likely impacted that penalty, including the high number of impacted individuals and the fact that the breach involved information with a higher degree of sensitivity, such as Social Security numbers and bank account information. In addition, the fact that the hackers reportedly had access to the Excellus system for such a long period likely played into the financial settlement amount.
This settlement serves as an important reminder to entities regulated under HIPAA of the importance of not only conducting a robust, enterprise-wide security risk analysis, but also the importance of taking steps to lessen or eliminate identified risks. The issues identified by OCR focus on implementation; health plans, health care providers, and their business associate vendors must take action to limit access to electronic systems that maintain protected health information, and they must continuously monitor system activity.