In one of the final health care-related actions by the Trump Administration, on January 15, 2021, the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced that Excellus Health Plan, Inc. agreed to pay $5.1 million dollars and implement a Corrective Action Plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Excellus is a New York State-based health insurer that provides health insurance coverage to more than 1.5 million people.

On September 9, 2015, Excellus filed a breach report notifying HHS that hackers had gained unauthorized access to its information technology systems. The report stated the breach began on or before December 23, 2013 and ended on May 11, 2015. According to the HHS investigation, the cyber-attackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information (PHI) of 9.3 million individuals. The disclosed PHI included names, addresses, dates of birth, email addresses, social security numbers, bank account information, health plan claims, and clinical treatment information.

OCR conducted an investigation that found potential violations by Excellus of the following requirements under the HIPAA Privacy and Security Rules:

• To conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI;
• To implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
• To implement procedures to regularly review records of information system activity; and
• To implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights.

In addition to the $5.1 million payment, Excellus entered into a two-year CAP, which is not an admission of liability, and agreed to do each the following:

• Conduct a comprehensive and thorough risk analysis of potential risks and vulnerabilities to electronic PHI, which must be submitted to HHS for approval;
• Develop an enterprise-wide risk management plan to address and mitigate any security risks identified in the above risk analysis; which must be submitted to HHS for review;
• Develop and review existing policies and procedures, which must include minimum content set forth in the CAP, to comply with HIPAA Security Rule standards;
• Distribute revised policies and procedures to Excellus’ workforce; and
• In the event Excellus receives information that a workforce member has failed to comply with required policies and procedures, Excellus must investigate and notify HHS if there was a material failure to comply with policies and procedures.

This OCR settlement is an important and expensive reminder of the critical importance for all HIPAA-covered entities to protect themselves from cyberattacks. OCR Director Roger Severino stated, “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

All HIPAA-covered entities — insurance companies and health care providers, no matter their respective size — should review their HIPAA Security Rule and Privacy Rule policies and procedures to ensure they are appropriately protecting PHI.

It is not yet known how the Biden Administration will address alleged HIPAA violations nor its appetite to enter into settlement agreements and CAPs to resolve an investigation.