Excellus Health Plan, which does business as Excellus Blue Cross and Blue Shield, has agreed to pay HHS' Office for Civil Rights $5.1 million to resolve alleged HIPAA violations, the agency said Friday.
The $5.1 million fine settles possible HIPAA violations stemming from a data breach the New York-based health insurer reported to OCR in September 2015, in which cyberattackers gained access to Excellus' information technology systems from at least December 2013 to May 2015. The data breach compromised data on more than 9.3 million people.
Excellus in 2015 said the data breach affected an estimated 7 million Excellus members and an estimated 3.5 million members of non-Blues affiliates of its holding company, Lifetime Healthcare Cos.
OCR in an investigation into the incident identified possible HIPAA violations including Excellus not conducting risk analyses and not implementing risk management processes, according to the agency.
"Hacking continues to be the greatest threat to the privacy and security of individuals' health information," said Roger Severino, OCR's director, in a statement. "In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries."
The $5.1 million penalty marks the first HIPAA settlement from OCR this year. The largest HIPAA settlement reached by the office last year was a $6.85 million fine levied on Premera Blue Cross, which also marked the second-largest fine resolving possible HIPAA violations in OCR's history, after a $16 million fine paid by Anthem in 2018.
In addition to the monetary settlement, Excellus will implement a corrective action plan that includes HHS monitoring the insurer's compliance with HIPAA for two years.
Excellus entered the settlement with OCR on behalf of Lifetime Healthcare Cos., an Excellus spokesperson wrote in an emailed statement.
"The settlement agreement contains no finding of HIPAA or other violations, nor does the company make any admissions or concessions," the spokesperson wrote. "OCR and Excellus have mutually agreed to this settlement to avoid the uncertainty and expense of further investigation and formal proceedings."
