New York-based health insurer Excellus Health Plan, otherwise known as Excellus BlueCross BlueShield, has been ordered by the United States Department of Health and Human Services (HSS) Office of Civil Rights (OCR) last Friday, January 15, 2021, to pay $5.1 million over a 2015 data breach.
The order from the HSS comes as it intends to make the health insurer pay for the possible violations that affected the company’s health privacy and security rules, states Reuters Legal at Westlaw.
Among its many suspected violations include the failure to instate risk management procedures as well as access controls. Moreover, Bloomberg Law reports that Excellus has also failed to do a more in-depth investigation surrounding the data breach. All of these violate the Health Insurance Portability and Accountability Act (HIPAA).
In a statement released by the Office of Civil Rights, it said that the 2015 data breach has impacted more than 9.3 million people. According to Healthcare IT News, the incident lasted for approximately one year and six months.
Threat actors reportedly installed malware into its internal IT systems, allowing hackers to gain unauthorized access to the health information of millions of people. Based on its disclosure, the incident started on or before December 23, 2013, until May 11, 2015.
Among the information compromised by the incident are the names, addresses, dates of birth, and Social Security numbers of people. In addition, the contact details of individuals, such as their email addresses, have also been made vulnerable, reveals Info Security.
What’s more, the Excellus cybersecurity attack also exposed the bank account information, clinical treatment information, and health plan claims of people. According to Info Security, the plans affected by the incident came from BlueCard, BlueCross BlueShield in Central New York, BlueCross and BlueShield in Rochester, BlueCross BlueShield of Utica Watertown, and Excellus BlueCross BlueShield.
Apart from the $5.1 million settlement to be paid by Excellus, the OCR has ordered the health insurance agency to implement a corrective action plan over the course of two years.
In addition, the OCR has also ordered the agency to undertake an enterprise-wide risk analysis and management plant, reports Westlaw.
In a statement by Office of Civil Rights Director Roger Severino, he said, “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”