Excellus Health Plan Hit with $5.1 Million Penalty for 10 Million-Record Data Breach

Excellus Health Plan has settled a HIPAA violation case with the HHS’ Office for Civil Rights and has agreed to pay a $5.1 million penalty and adopt a corrective action plan to ensure its policies, procedures, and cybersecurity protections are fully compliant with the standards of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.

Lifespan Healthcare Inc., doing business as Excellus Health Plan, Excellus BlueCross BlueShield, and Univera Healthcare, is a non-for-profit health service organization that provides health insurance coverage to 1.5 million individuals in Upstate and Western New York.

In 2015, hackers were discovered to have gained access to computer systems which contained the electronic protected health information of 9,358,891 individuals. The breach was reported to OCR on September 9, 2015 and an investigation was initiated by OCR on June 29, 2016.

The purpose of the investigation was to determine whether Excellus was in compliance with the HIPAA Rules prior to the breach. OCR investigators determined that Excellus had failed to prevent an unauthorized third party from gaining access to individuals’ ePHI and had potentially violated five standards of the HIPAA Rules.

The HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – requires covered healthcare organizations to conduct an accurate, thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of all electronic protected health information (ePHI). Risks identified during the risk analysis must then be reduced to a reasonable and appropriate level – 45 C.F.R. § 164.308(a)(1)(ii)(B).

HIPAA-covered entities must also implement technical policies and procedures for electronic information systems that maintain ePHI to only permit authorized persons or software programs to access ePHI on those systems- 45 C.F.R § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1)).

Information system activity logs must be created and regularly reviewed to identify unauthorized activity – 45 C.F.R. § 164.308(a)(1)(ii)(D) – to allow corrective actions to be taken promptly in the event of a security breach.

These compliance issues contributed to the impermissible disclosure of the ePHI of 9,358,891 individuals, which 45 C.F.R. § 164.502(a) requires covered entities to prevent.

OCR determined that the severity of the potential HIPAA violations warranted a financial penalty. Excellus agreed to pay the penalty to avoid legal action and bring the case to a close. Excellus maintained there had been no wrongdoing and the case was settled with no admission of liability.

In addition to paying the sizeable $5.1 financial penalty, Excellus will implement a corrective action plan to address all issues highlighted by OCR’s investigation and will be monitored by OCR for two years to ensure continued compliance with the HIPAA Rules.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information.  In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent.  Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”