Excellus BlueCross BlueShield agreed to pay the Office for Civil Rights $5.1 million to settle potential HIPAA violations related to a data breach, HHS said Jan. 15.
In September 2015, Excellus filed a breach report that said cyberattackers gained access to its IT systems. The breach began in December 2013 and ended in May 2015, Excellus said.
More than 9.3 million people were affected by the breach, according to HHS. The hackers installed malware into Excellus' IT system, which led to the disclosure of people's Social Security numbers, bank account information and clinical treatment information, among other personal data.
An investigation from the OCR found Excellus may have violated HIPAA by failing to conduct a risk analysis and IT system review.
In addition to the settlement, the insurer also agreed to implement a corrective action plan, which includes two years of monitoring.
Read more here.