New York health insurer pays $5.1M to settle potential HIPAA violations

New York-based health insurer Excellus Health Plan Inc. will pay $5.1 million to the U.S. Department of Health and Human Services Office for Civil Rights to settle potential Health Insurance Portability and Accountability Act violations related to a breach affecting more than 9.3 million people.

On Sept. 9, 2015, Excellus Health Plan filed a breach report stating cyber attackers had gained unauthorized access to its information technology systems on or before Dec. 23, 2013, until May 11, 2015, according to  an HHS news release .

The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims and clinical treatment information, the release stated.

The Office for Civil Rights' investigation found potential violations of the HIPAA Privacy and Security Rules, including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review and access controls, according to the release.

In addition to the monetary settlement, Excellus Health Plan will undertake a corrective action plan that includes two years of monitoring.

The ADA Complete HIPAA Compliance Kit includes a manual and videos that give dentists a step-by-step, plain language process for developing a HIPAA program, as well as all the digital forms they need. To order the kit, use promo code 21104 by April 9 to receive 15% off all ADA Catalog resources.