HHS Resolution Agreement: Excellus Health Plan, Inc. (Jan. 15, 2021); HHS News Release (Jan. 15, 2021)
HHS’s Office for Civil Rights (OCR) has announced a $5.1 million resolution agreement with a health insurer to settle potential violations of HIPAAColorful privacy and security rules that led to a breach of protected health information (PHI) affecting more than 9.3 million individuals. The underlying breach was attributed to cyberattackers installing malware to conduct reconnaissance activities that ultimately disclosed the individuals’ names, addresses, birthdates, email addresses, Social Security numbers, bank account information, health plan claims, and treatment information. After receiving the insurer’s breach report, OCR investigated, finding that the insurer neither conducted an enterprise-wide risk analysis nor implemented adequate procedures for risk management, information system activity review, or access controls. According to the news release, the hackers’ incursion into the insurer’s health record system continued undetected for over a year.
In addition to the settlement payment, the insurer agreed to a corrective action plan (CAP). The CAP requires the insurer to conduct an enterprise-wide risk analysis for all its owned, controlled, or administered electronic equipment, data systems, and applications that contain, store, transmit, or receive PHI at its owned and rented facilities. The insurer must adopt an enterprise-wide risk management plan corresponding to the risk analysis. Policies and procedures must be reviewed and revised to address access controls and the regular review of audit logs, access reports, and other records of information system activity. The foregoing CAP requirements are subject to OCR’s review and approval. The revised policies and procedures must be made available to the insurer’s workforce members. The insurer must submit periodic compliance reports to OCR.
EBIA Comment: This resolution agreement includes one of the largest settlement payments in OCR’s HIPAA enforcement history. The size of the payment was undoubtedly influenced by the large number of affected individuals and the extended period of the undetected intrusion. OCR has demonstrated scant patience for covered entities and business associates that allow infiltrations to continue for extended periods because they lack access controls and processes to monitor information system activity. It will be interesting to see whether settlements of this magnitude continue in the wake of the recent court decision criticizing some of OCR’s enforcement procedures (see our Checkpoint article). For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”), XX.E (“Civil Monetary Penalties”), and XXX (“Core Security Requirements”). You may also be interested in our webinar “HIPAA Breaches: Preparation and Response” (recorded on 9/10/20).
Contributing Editors: EBIA Staff.