Excellus Health Plan to pay $5.1M fee over data breach that impacted 9.3M: HHS

Excellus Health Plan will pay a $5.1 million penalty for a data breach that impacted more than 9.3 million people, the Trump administration announced last week.

The Department of Health and Human Services Office of Civil Rights (OCR) said that in addition to the settlement fine, Excellus has agreed to a corrective action plan that will include two years of monitoring.

New York-based Excellus filed a report on the breach in September 2015, OCR said, saying that cyber attackers had gained access to their systems on or before Dec. 23, 2013. The breach lasted through May of 2015, OCR said.

In its report, Excellus said that hackers installed malware and mined data that exposed the information of more than 9.3 million people, including names, addresses, dates of birth, Social Security numbers, email addresses, bank account information, claims data and clinical treatment information.

RELATED: Number of patient records breached nearly triples in 2019

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information.  In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino in a statement.

“We know that the most dangerous hackers are sophisticated, patient, and persistent," Severino said. "Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

A subsequent OCR investigation found likely Health Insurance Portability and Accountability Act violations including a failure to conduct a company-wide analysis for risks and a failure to roll out a risk management program, information system activity review and access controls.