The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.
The accessed information included the individuals’ names, addresses, dates of birth, Social Security numbers, bank account information, health insurance claims, and clinical treatment information.
Following an investigation, OCR found potential violations of HIPAA and the parties agreed to settle the action for a payment of $5.1 million, along with the standard requirements in a Corrective Action Plan that OCR imposes on covered entities following a data breach, including completion of a security risk assessment, implementation of a risk management plan, updating policies and procedures, and annual reporting to OCR.