On January 15, 2021 the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced a $5,100,000 settlement with Excellus Health Plan, Inc. ("Excellus") for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
According to HHS, hackers accessed the Excellus electronic medical records system from December 2013 through May 11, 2015, resulting in the disclosure of the protected health information for over 9.3 million people. This data included patient name, address, date of birth, email addresses, social security number, bank account information, health plan claims and clinical treatment information.
In additional to the monetary settlement, Excellus agreed to a very thorough and detailed two-year Corrective Action Plan.
You can read the HHS Resolution Agreement and the Corrective Action Plan here.