A non-profit, New York-based health care company last week agreed to pay $5.1 million for a data breach that lasted for more than a year and affected as many as 9.3 million people.
Excellus Health Plan, Inc., which provides health care services to 1.6 million people across upstate New York, announced the data breach publicly in September 2015.
What is Excellus Health Plan?
Founded in 1936, Excellus Health Plan has four regional headquarters (in Syracuse, Elmira, Rochester and Utica) and field offices in Watertown, Binghamton and Plattsburgh.
A nonprofit independent licensee of the Blue Cross Blue Shield Association, Excellus “provides access to high-quality, affordable health coverage, including valuable health-related resources that our members use every day, such as cost-saving prescription drug discounts and wellness tracking tools.”
When did the data breach occur?
Although Excellus only recently settled the breach with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), it began on or before December 23, 2013, and ended on May 11, 2015—leaving client information potentially exposed for nearly 18 months.
According to the company, the breach was only discovered after cyberattacks on other insurance companies (including Anthem) prompted it to engage a cybersecurity firm, FireEye Mandiant, to conduct a forensic assessment of its IT systems. Excellus was notified that cyberattackers gained unauthorized access to its IT systems on August 5, 2015.
Excellus filed a breach report with the OCR and announced the hack publicly on September 9, 2015.
SEE ALSO: HIPAA Breach Report for December 2020
The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information (PHI) of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information, according to an OCR news release.
Although Excellus has 1.5 million direct clients, the breach included information about members of other Blue Cross Blue Shield plans who sought treatment in the company’s 31-county upstate New York service area.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” said OCR Director Roger Severino. “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries.”
The breach also prompted a class-action lawsuit by affected clients.
What did the investigation find?
The OCR investigation found a number of violations of HIPAA rules, including:
- Failure to conduct a risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic PHI (ePHI).
- Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Failure to implement procedures to regularly review records of information system activity.
- Failure to implement a privileged access management protocol.
- Failure to prevent unauthorized access to the ePHI of 9,358,891 individuals whose ePHI was maintained in Excellus’ IT systems.
What must Excellus do as a result?
In addition to the $5.1 million monetary settlement, Excellus is required to implement a corrective action plan. The plan has several requirements, including:
- Conducting a comprehensive and thorough risk analysis of all facilities, equipment, data systems, and applications and reporting the results within 180 days.
- Develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis.
- Review, develop, maintain and revise written policies and procedures to ensure compliance with federal standards that govern the privacy and security of PHI.
- Regularly review audit logs, access reports, and security incident tracking reports to monitor and respond to suspicious system activity.
- Regularly review access control measures between systems, such as network or portal segmentation, limiting access to ePHI and enforcing password management requirements, such as password age.
“We know that the most dangerous hackers are sophisticated, patient, and persistent,” Severino said. “Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”
Paubox Email Suite Plus not only allows you to send HIPAA compliant email by default, but it also offers inbound email security, performing three sets of checks on every incoming email to block phishing and ransomware attacks, as well as ExecProtect, our patented technology that eliminates display name spoofing attacks.