Skip to main content

Nixon Peabody LLP

Article

OCR enters into $5 1 million settlement with a health plan following large and lengthy data breach

Feb 1, 2021

By Valerie Montague

Enforcement action serves as a reminder to health plans, as well as health care providers and business associate vendors, to implement security protections on an enterprise-wide level.

Following a data breach that began in 2013, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently entered into a settlement with Excellus Health Plan, Inc. (“Excellus”), resulting in a payment of $5.1 million and a corrective action plan.

In 2015, Excellus, a health insurer providing coverage to individuals in New York, reported a HIPAA breach to OCR that impacted over 9.3 million individuals. The incident involved a cyberattack whereby hackers gained unauthorized access to Excellus’ information technology systems. Over a period of approximately a year and a half, the hackers used malware and took other actions to impermissibly access protected health information. In addition to demographic and treatment information, the hackers accessed individuals’ Social Security numbers and bank account information.

In its investigation of the breach, OCR discovered a number of potential HIPAA violations, including the failure to implement policies and procedures to provide access to information systems only to those with proper access rights, as required under the HIPAA Security Rule. The investigation also found that Excellus failed to implement procedures to regularly review its information system activity. Finally, OCR determined that Excellus failed to conduct an adequate and thorough risk analysis of the potential risks and vulnerabilities to its electronic protected health information and did not implement security measures to reduce identified risks and vulnerabilities.

Although the financial settlement is a large dollar amount, a number of factors likely impacted that penalty, including the high number of impacted individuals and the fact that the breach involved information with a higher degree of sensitivity, such as Social Security numbers and bank account information. In addition, the fact that the hackers reportedly had access to the Excellus system for such a long period likely played into the financial settlement amount.

This settlement serves as an important reminder to entities regulated under HIPAA of the importance of not only conducting a robust, enterprise-wide security risk analysis, but also the importance of taking steps to lessen or eliminate identified risks. The issues identified by OCR focus on implementation; health plans, health care providers, and their business associate vendors must take action to limit access to electronic systems that maintain protected health information, and they must continuously monitor system activity.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe