Skip to main content
Toggle Menu of ADA WebSites
ADA Websites
Commissions
Toggle Search Area
Toggle Menu
e-mail Print Share

New York health insurer pays $5.1M to settle potential HIPAA violations

Cyberattack resulted in disclosure of protected health information of over 9.3M people

January 28, 2021

New York-based health insurer Excellus Health Plan Inc. will pay $5.1 million to the U.S. Department of Health and Human Services Office for Civil Rights to settle potential Health Insurance Portability and Accountability Act violations related to a breach affecting more than 9.3 million people.

On Sept. 9, 2015, Excellus Health Plan filed a breach report stating cyberattackers had gained unauthorized access to its information technology systems on or before Dec. 23, 2013, until May 11, 2015, according to an HHS news release.

The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims and clinical treatment information, the release stated.

The Office for Civil Rights' investigation found potential violations of the HIPAA Privacy and Security Rules, including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review and access controls, according to the release.

In addition to the monetary settlement, Excellus Health Plan will undertake a corrective action plan that includes two years of monitoring.

The ADA Complete HIPAA Compliance Kit includes a manual and videos that give dentists a step-by-step, plain language process for developing a HIPAA program, as well as all the digital forms they need. To order the kit, use promo code 21104 by April 9 to receive 15% off all ADA Catalog resources.