The Department of Health & Human Services Office for Civil Rights (OCR) announced a $5.1 million settlement with Excellus Health Plan, Inc. relating to a data breach that affected over 9.3 million persons. The breach arose out of a cyberattack that began in December 2013, in which hackers installed malware and conducted reconnaissance activities within the health plan’s information technology system. The attack was not ended until May 2015. In addition to the settlement payment, the health plan agreed to a two-year corrective action plan that requires it to conduct a comprehensive information security risk analysis; adopt an enterprise-wide risk management plan; and update its policies and procedures, including providing for regular review of audit logs, access reports and security incident reports, and adoption of access control measures, including network or portal segmentation and password management.
Information security remains a challenge for health care providers and health plans. Currently, the OCR website lists 711 security breaches affecting more than 500 individuals that were reported within the last 24 months and are currently under investigation by OCR. Many such breaches are characterized as hacking/IT incidents.