$5.1 Million Penalty Paid by Excellus Health Plan to Settle HIPAA Violation Case

Health insurance company Excellus Health Plan agreed to pay the Department of Health and Human Services’ Office for Civil Rights $5.1 million as a penalty to settle its HIPAA violation case associated with the 2015 data breach that affected 9.3 million individuals.

Excellus Health Plan uncovered the data breach in 2015, the same year when the massive data breaches linked to medical insurance companies Anthem Inc. (78.8 million compromised records) and Premera Blue Cross (10.6 million compromised records) were uncovered. The three organizations already paid OCR a huge penalty to settle the case.

Excellus Health Plan, also known as Excellus BlueCross BlueShield and Univera Healthcare, is doing business in Western and Upstate New York. In August 2015, the company found out that hackers had accessed its computer systems. As per the breach investigation, the hackers’ initial access likely occurred on December 23, 2013 until May 11, 2015. Excellus submitted the breach report to OCR on September 9, 2015.

The hackers deployed malware in its systems, performed reconnaissance, and viewed the healthcare data of around 7 million Excellus Health Plan members and approximately 2.5 million Lifetime Healthcare members. The information accessed by the hackers included names, contact information, birth dates, Social Security numbers, health plan ID numbers, claims details, financial account information, and clinical treatment information.

OCR’s investigation of the Excellus breach began in June 2016. The goal of the investigation is to determine whether Excellus Health Plan is compliant with the requirements of the HIPAA Security, Privacy, and Breach Notification Rules. The investigation identified five areas where Excellus potentially failed to be compliant.

  • The health plan didn’t conduct a proper and thorough company-wide risk analysis to find any risk and vulnerability to the availability, integrity, and confidentiality of its members’ electronic protected health information (ePHI).
  • Measures to limit risks and vulnerabilities to ePHI to an acceptable level are lacking.
  • Technical policies and procedures regarding the access of systems containing ePHI by authorized individuals and applications are lacking as well.

Due to these issues, unauthorized individuals had access to the PHI of 9,358,891 members. Excellus became aware of the breach over 18 months after it happened. OCR determined that Excellus was missing policies and procedures mandating regular inspections of data system activity.

Excellus Health Plan decided to pay the penalties to conclude the investigation and official proceedings while not admitting legal responsibility. In addition to paying the penalties, Excellus observed a corrective action plan to fix all areas of non-compliance identified by OCR. OCR will be monitoring the health plan for two years to be sure that it stays HIPAA compliant.

To date, OCR already issued two HIPAA enforcement actions for 2021. The first required Banner Health to pay $200,000 to settle a potential HIPAA Right of Access violations.