Breach Impacting 9.3M People Leads to $5.1M HIPAA Settlement 

January, 2021 - Nathan Kottkamp, Beth Pitman

The second HIPAA settlement of 2021 is the first traditional enforcement action of the year. And, it’s a big one.

Traditionally, OCR enforcement has been triggered by breaches. In 2020, however, we saw a significant increase in a sub-set of Privacy Rule enforcement arising out of the U.S. Department of Health and Human Services’ Office for Civil Rights’ (OCR) patient “Right of Access” initiative. To date, OCR has published 14 Right to Access settlements, which we have addressed previously in this blog. This time around, OCR has returned to post-breach enforcement.

Here, OCR settled an investigation of Excellus Health Plan (EHP), which includes several affiliates of the Lifetime Healthcare Companies, arising from a 2015 notice to OCR of a breach of 9.3 million peoples’ health records as the result of a hacking incident. Specifically, in 2015, after cyberattacks of other health plans, such as Anthem, EHP retained a forensic analyst to assess the company’s IT systems. During the assessment, EHP discovered that a cyber-attack had begun in 2013 and continued until its discovery in 2015. In addition to notifying OCR, EHP notified the FBI of the cyber-intrusion.

According to OCR, in this case, cyber-attackers gained unauthorized access to EHP’s technology systems, which enabled the installation of malware and the ability to conduct reconnaissance that resulted in the extraction of information of over 9.3 million people and allowed the attacker to operate within the system for the time period. In addition to demographic information, the breach compromised Social Security numbers, bank account information, health plan claims, and clinical treatment information. Yet, impermissible disclosures were not the only issues that OCR found. Among others, OCR identified potential “failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.” Consistent with OCR’s standard practices, the settlement also included a two-year corrective action plan with OCR monitoring in addition to the $5.1 million payment. Of course, because this matter involved a settlement, EHP inherently did not concede the alleged violations.

The OCR investigation is not the only legal action faced by EHP. Less than 2 weeks after it filed its notice with OCR, EHP was served with class action complaints which were subsequently consolidated in one action in the United States District Court for the Western District of New York entitled, Fero, et. al. v. Excellus Health Plan Inc., et al. The complaint alleges violations of the New York General Business Law (“GBL”) Section 349 and several state common-law claims, such as negligence, and finally seeks injunctive relief. The U.S. District Court recently denied the plaintiffs’ motion for certification of a damages class, but allowed certification of an injunctive class limited to “All individuals in the United States whose PII and/or PHI was stored in Excellus's systems between December 23, 2013 and May 11, 2015 who (1) are included in Excellus's list of Impacted Individuals and (2) whose PII and/or PHI currently resides in Excellus's systems.”How this “splitting of the baby” impacts the future of the class action is yet to be seen. Nevertheless, it is important to note that the lawsuit against EHP is founded upon state law. This is because HIPAA does not afford a private right of action for individuals.

 

Click here to read more.

 

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots