Excellus Health Pays $5.1 Million to Resolve HIPAA Breach Involving Over 9 Million People

January 19, 2021
By Danielle Dietrich
Posted in Health Law, Litigation

On January 15, 2021 the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $5,100,000 settlement with Excellus Health Plan, Inc. (“Excellus”) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

According to HHS, hackers accessed the Excellus electronic medical records system from December 2013 through May 11, 2015, resulting in the disclosure of the protected health information for over 9.3 million people.  This data included patient name, address, date of birth, email addresses, social security number, bank account information, health plan claims and clinical treatment information.

In additional to the monetary settlement, Excellus agreed to a very thorough and detailed two-year Corrective Action Plan.

You can read the HHS Resolution Agreement and the Corrective Action Plan here: https://www.hhs.gov/sites/default/files/excellus-ra-cap.pdf

If you would like guidance on how it can prevent HIPAA violations from occurring, or how to handle a HIPAA violation, please contact Danielle Dietrich at 412-227-0284 or ddietrich@smgglaw.com.