An American wellness insurer has agreed to fork out $5.1m to the Office environment for Civil Rights (OCR) at the US Department of Overall health and Human Solutions (HHS) to settle likely violations of the Well being Insurance Portability and Accountability Act (HIPAA) Privacy and Security Regulations.
The agreement entered into by Excellus Well being Plan, Inc. relates to a data breach that lasted 17 months and influenced about 9.3 million individuals.
Excellus is a New York–based health solutions company that gives wellbeing insurance coverage protection to more than 1.5 million folks in upstate and western New York.
A breach report submitted by Excellus on September 9, 2015, said that cyber-attackers had acquired unauthorized obtain to the company’s data technology programs.
The breach started on or prior to December 23, 2013, and dragged on until eventually May perhaps 11, 2015. Right after gaining entry to the company’s techniques, destructive hackers set up malware and performed reconnaissance functions that in the end resulted in the disclosure of shielded overall health information and facts (PHI) of much more than 9.3 million individuals.
Data exposed in the attack involved names, addresses, dates of beginning, email addresses, Social Security quantities, lender account details, health plan promises, and medical treatment method facts.
Plans impacted by the breach have been BlueCard Customers BlueCross BlueShield of Central New York BlueCross and BlueShield of the Rochester space BlueCross BlueShield of Utica-Watertown and Excellus BlueCross BlueShield.
OCR’s investigation into the security incident discovered likely violations of the HIPAA rules, which includes failures to implement risk administration, details procedure action review, and access controls and failure to conduct an enterprise-wide risk evaluation.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health data. In this circumstance, a wellbeing plan did not cease hackers from roaming within its well being history procedure undetected for more than a year, which endangered the privacy of tens of millions of its beneficiaries,” explained OCR director Roger Severino.
“We know that the most hazardous hackers are innovative, individual, and persistent. Health care entities will need to stage up their sport to secure the privacy of people’s wellbeing information from this growing danger.”
In addition to spending a sizable monetary settlement, Excellus has agreed to undertake a corrective action plan that features two several years of checking.
Some parts of this write-up are sourced from: