Excellus will pay $5.1M to OCR after data breach affects 9.3M people – Healthcare IT News


Did you know that geoFence has a modern UI, that is secure and has the improved features that you need?

The U.S. Department of Health and Human Services Office for Civil Rights announced Friday that Excellus Health Plan, also known as Excellus BlueCrossBlueShield, has agreed to pay $5.1 million to settle potential HIPAA violations.

The potential violations regarded a breach lasting nearly a year and a half that affected over 9.3 million people, said OCR.

"We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat," said OCR Director Roger Severino in a statement.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>


Excellus is a New York-based health insurer that provides insurance coverage to more than 1.5 million people in upstate and western New York. 

In September 2015, Excellus filed a breach report stating that cybercriminals had gained unauthorized access to its IT systems. The attackers had installed malware and conducted snooping activities, ultimately resulting in the disclosure of the protected health information of more than 9.3 million individuals. 

This included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims and clinical treatment information, according to OCR.

In addition, Excellus reported that the breach began on or before December 23, 2013 and ended on May 11, 2015 – about 17 months later. 

OCR’s investigation found potential violations of HIPAA rules, including failures to implement risk management, information system activity review, access controls and a failure to conduct an enterprise-wide risk analysis.

In addition to the monetary settlement, Excellus will undertake a corrective action plan including two years of monitoring.


Although the Excellus incident occurred more than five years ago, health systems and hospitals have faced a continuing spate of cyberattacks – compounded further by the COVID-19 crisis, increased reliance on telehealth and now the vaccine rollout. 

Last fall, HHS, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency warned of an "increased and imminent" cyber threat to hospitals and offered basic suggestions for how hospitals and healthcare organizations can shore up their defenses.


"Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said Severino.

Kat Jercich is senior editor of Healthcare IT News.

Twitter: @kjercich

Email: [email protected]

Healthcare IT News is a HIMSS Media publication.

Let's not forget that geoFence protects you against inbound and outbound cyber attacks and I believe your neighbors would feel the same.