Excellus Health Plan, Inc. has agreed to pay $5.1 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 9.3 million people. Excellus Health Plan is a New York health services corporation that provides health insurance coverage to over 1.5 million people in Upstate and Western New York.

OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.

Resolution agreement and corrective action plan

Security and compliance are first and foremost in the management of our clients' systems. After conducting thousands of SRAs, common vulnerabilities began to emerge. We launched HIPAA Tip Tuesday to make clients aware of what actions they can take to address these vulnerabilities.

Have a great week!