Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About

Trending Topics

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni

    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor & Employment
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations

    Industries

    View All

    • Cannabis
    • Consumer
    • Energy
    • Entertainment
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Non Profit
    • Real Estate
    • Technology

    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    1. Home
    2. Insights
    3. Articles
    4. OCR enters into $5 1 million settlement with a health plan following large and lengthy data breachArticles

    Article

    OCR enters into $5 1 million settlement with a health plan following large and lengthy data breach

    Feb 1, 2021

    Share

    By Valerie Montague

    Enforcement action serves as a reminder to health plans, as well as health care providers and business associate vendors, to implement security protections on an enterprise-wide level.

    Following a data breach that began in 2013, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently entered into a settlement with Excellus Health Plan, Inc. (“Excellus”), resulting in a payment of $5.1 million and a corrective action plan.

    In 2015, Excellus, a health insurer providing coverage to individuals in New York, reported a HIPAA breach to OCR that impacted over 9.3 million individuals. The incident involved a cyberattack whereby hackers gained unauthorized access to Excellus’ information technology systems. Over a period of approximately a year and a half, the hackers used malware and took other actions to impermissibly access protected health information. In addition to demographic and treatment information, the hackers accessed individuals’ Social Security numbers and bank account information.

    In its investigation of the breach, OCR discovered a number of potential HIPAA violations, including the failure to implement policies and procedures to provide access to information systems only to those with proper access rights, as required under the HIPAA Security Rule. The investigation also found that Excellus failed to implement procedures to regularly review its information system activity. Finally, OCR determined that Excellus failed to conduct an adequate and thorough risk analysis of the potential risks and vulnerabilities to its electronic protected health information and did not implement security measures to reduce identified risks and vulnerabilities.

    Although the financial settlement is a large dollar amount, a number of factors likely impacted that penalty, including the high number of impacted individuals and the fact that the breach involved information with a higher degree of sensitivity, such as Social Security numbers and bank account information. In addition, the fact that the hackers reportedly had access to the Excellus system for such a long period likely played into the financial settlement amount.

    This settlement serves as an important reminder to entities regulated under HIPAA of the importance of not only conducting a robust, enterprise-wide security risk analysis, but also the importance of taking steps to lessen or eliminate identified risks. The issues identified by OCR focus on implementation; health plans, health care providers, and their business associate vendors must take action to limit access to electronic systems that maintain protected health information, and they must continuously monitor system activity.

    PrivacyData BreachPrivacyHealth Care And Hipaa

    Practices

    Cybersecurity & PrivacyHealthcare

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • © 2023 Nixon Peabody. All rights reserved
    • Privacy Policy
    • Terms of Use
    • Statement of Client Rights
    • Supplier Diversity Program
    • Nixon Peabody International LLC
    • PAL