An American health insurer has been fined $5.1M for a potential HIPAA violation after a data breach saw more than 9.3 million customers impacted and their personal health information potentially accessed.
The health insurer was fined after news of a 17-month data breach came to light, which forced the Excellus Health Plan, Inc. to pay the Office for Civil Rights (OCR) a $5.1 million settlement.
The settlement came after the Department of Health and Human Services identified a series of violations of the Health Insurance Portability and Accountability (HIPAA) Act, which aims to protect the confidentiality and integrity of protected health information (PHI).
Back in September of 2015, the company in question filed a data breach report notification that said outside threat actors had managed to gain access to their network with a significant data breach.
We now know, however, that the data breach was actually launched back in December of 2013, where it remained undetected by the information security system of Excellus for more than 17 months.
Details of the settlement state that the agreement “is not an admission, concession or evidence of liability by EHP,” adding that the settlement does not mean that Excellus acted in “violation of the HIPAA Rules.”
According to reports, “after gaining entry to the company’s systems, malicious hackers installed malware and conducted reconnaissance activities that ultimately resulted in the disclosure of protected health information (PHI) of more than 9.3 million individuals.”
Regulators have said that amongst this trove of information that was accessed by hackers in a data breach, names, dates of birth, email addresses, bank account details, health care plans, social security numbers, as well as sensitive medical records.
The Office for Civil Rights within the Department of Health and Human Services has published the findings of their investigation, stating that the health insurer failed to adequately protect its network with information security policies.
The OCR found a number of HIPAA violations, including a failure to conduct a company-wide risk assessment, and the absence of a comprehensive information security review to identify potential risks to manage in the future.
Organisations that operate in the space of health and medical records are mandated to meet the government’s HIPAA requirements in order to legally operate. This is due to the fact that companies like health insurers are responsible for protecting extremely sensitive information.
This information is known as protected health information (PHI), which is a treasure trove for hackers looking to launch phishing, financial and identity fraud campaigns due to the sensitive nature of the information.
As we can see from this case in question, unauthorised hackers were able to gain access not only to name and date of birth information, but also social security, financial and medical information.
The Department of Health and Human Services has published details of the settlement, which shows that Excellus Health Plan, Inc. provides health insurance to more than 1.5 million customers.
However, the investigation of the data breach has extended to more than 9.3 million customers of health insurers affiliated with Excellus.
Director of the Office for Civil Rights, Roger Severino has said that “hacking continues to be the greatest threat to the privacy and security of individuals’ health information.”
“In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries.”
“We know that the most dangerous hackers are sophisticated, patient, and persistent,” Severino added.
“Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat,” he concluded.
As part of the settlement, Excellus has agreed to more than 24 months of monitoring by regulators and will implement a corrective action plan that increases its risk-based thinking as it moves into the future.