IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New York Health Insurer to Pay Feds $5.1M After Data Breach

Excellus BlueCross BlueShield has agreed to a settlement after it was determined the insurer may not have done enough to prevent hackers from obtaining private information about more than 9.3 million people.

Shutterstock/Vlad L
(TNS) — Excellus BlueCross BlueShield has agreed to pay $5.1 million to settle a federal investigation that found the insurer may not have done enough to prevent hackers from obtaining private information about more than 9.3 million people in a cyberattack discovered in 2015.

The Office for Civil Rights at the U.S. Department of Health and Human Services announced that Excellus agreed to make the payment to settle potential violations of federal health information privacy rules. As part of the settlement, Excellus also agreed to take corrective action to strengthen the security of its customers’ private medical information.

“In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” Roger Severino, director of the Office of Civil Rights, said in a prepared statement.

Excellus announced in September of 2015 that cyber-attackers had gained unauthorized to its computer systems. The breach began on Dec. 23, 2013 and ended May 11, 2015. The hackers installed malware and conducted reconnaissance, obtaining personal information that included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health insurance claims and clinical treatment information for more than 9.3 million people.

Excellus has said it learned of the cyberattack after hiring a cybersecurity firm to assess its information technology system.

The federal investigation found “potential” violations of Health Insurance Portability and Accountability Act (HIPAA0 rules including failures to implement risk management and information system activity review.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” Severino said. “We know that the most dangerouys hackers are sophisticated, patient and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.

©2021 Syracuse Media Group, Distributed by Tribune Content Agency, LLC.