Data Breach affecting 9.3m people makes Health insurance provider pay $5.1m penalty

470

New York based Excellus Health Insurance Company failed to protect the data of its 9.3m customers from a data breach that lasted for seventeen months, the firm has agreed to pay $5.1 million as penalty to the Office of Civil Rights (OCR) at the US Department of Health and Human Services (HHS).

Cybersecurity Insiders has learnt that Excellus, an organization that doesn’t work for profits, has agreed to pay the stipulated amount as it failed to comply with the HIPAA data privacy and security rules by not following basic security measures in protecting the data of its customers.


Going by the details, Excellus that also covers elective abortions in and around New York State under the Blue Card program became a victim of a cyber attack in 2015 when its IT staff learned that hackers have infiltrated into the database fraudulently to siphon data from the IT systems.

Later, a detailed investigation revealed that the attack took place in Dec’2013 and existed till May’15 as hackers installed a data snooping malware on the database impacted over 9.3 million individuals.

Information is out that names of insurance policy holders, addresses, date of births, email addresses, social security numbers, bank account details, health plan claims, and some lab test reports were accessed by hackers.

Healthcare plans affected in the BlueCard member’s data breach include BlueCross BlueShield of Utica Watertown, Excellus BlueCross BlueShield, BlueCross and BlueShield of the Rochester Area, and BlueCross BlueShield of Central New York.

Since Excellus was found violating the HIPAA rules; the OCR penalized the healthcare service provider with a hefty amount. However, the fine was reviewed again in January 2021 and was re-imposed as a sizable monetary settlement that Excellus agreed to pay by the 3Q of this year.