Insurer Pays $5.1M OCR Penalty for Data Breach Involving 9.3M Patients
Health IT Security
New York-based Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, agreed to a $5.1 million civil monetary penalty and a corrective action plan with the Office for Civil Rights to resolve possible HIPAA failures found after a 2015 data breach impacting 9.3 million patients.
The Excellus security incident was one of the largest data breaches of 2015. Discovered in August 2015, hackers gained access to the health plan’s network more than 18 months earliers in December 2013.
During that time, the threat actors installed...