HHS Announces $5.1 Million Settlement for HIPAA Breach Affecting Over 9.3 Million
On January 15, 2021, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced that Excellus Health Plan, Inc. has agreed to pay $5.1 million and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”).
On September 9, 2015, Excellus Health Plan filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems. The hackers installed malware and that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals. The information included patient names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims information, and clinical treatment information.
As a result of that breach report, an investigation by OCR revealed that Excellus may have failed to conduct enterprise-wide risk analysis, and failed to implement risk management, information system activity review, and access controls. These steps, if taken, may have reduced the scope of the breach or limited the amount of data compromised.
How Frier Levitt Can Help
Poor security practices are widespread and affect both large and small companies. Attackers know this and target entities ranging from sole proprietors to large institutions because personal data is valuable.
HIPAA requires covered entities and their business associates to implement comprehensive policies and procedures to protect the privacy and security of protected health information. Institutional failures, such as the lack of safeguards or risk mitigation plans, may cause investigators to pursue an entity more aggressively for a breach or other violation of HIPAA, as demonstrated by OCR’s recent settlement with Excellus Health Plan.
Contact Frier Levitt for assistance in preparing and implementing policies and procedures to lower the risk of a breach, as required by HIPAA, and to address HIPAA security incidents after they occur.