The Office for Civil Rights at the U.S. Department of Health and Human Services announced that Excellus agreed to make the payment to settle potential violations of federal health information privacy rules. As part of the settlement, Excellus also agreed to take corrective action to strengthen the security of its customers’ private medical information.
“In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” Roger Severino, director of the Office of Civil Rights, said in a prepared statement.
Excellus announced in September of 2015 that cyber-attackers had gained unauthorized to its computer systems. The breach began on Dec. 23, 2013 and ended May 11, 2015. The hackers installed malware and conducted reconnaissance, obtaining personal information that included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health insurance claims and clinical treatment information for more than 9.3 million people.
Excellus has said it learned of the cyberattack after hiring a cybersecurity firm to assess its information technology system.
The federal investigation found “potential” violations of Health Insurance Portability and Accountability Act (HIPAA0 rules including failures to implement risk management and information system activity review.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” Severino said. “We know that the most dangerouys hackers are sophisticated, patient and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.
©2021 Syracuse Media Group, Distributed by Tribune Content Agency, LLC.
