In September 2015, Excellus filed a breach report that said cyberattackers gained access to its IT systems. The breach began in December 2013 and ended in May 2015, Excellus said.
More than 9.3 million people were affected by the breach, according to HHS. The hackers installed malware into Excellus’ IT system, which led to the disclosure of people’s Social Security numbers, bank account information and clinical treatment information, among other personal data.
An investigation from the OCR found Excellus may have violated HIPAA by failing to conduct a risk analysis and IT system review.
In addition to the settlement, the insurer also agreed to implement a corrective action plan, which includes two years of monitoring.
Read more here.
More articles on payers:
UnitedHealthcare suspends some prior authorization rules for hospitals
BCBS Association to suspend donations to lawmakers who disputed Electoral College results
Cigna to suspend donations to lawmakers who ‘supported violence’ at Capitol
