January 19, 2021

Breach Impacting 9.3M People Leads to $5.1M HIPAA Settlement

Client Alert
Beth Neal Pitman

The second HIPAA settlement of 2021 is the first traditional enforcement action of the year.  And, it’s a big one. 

Traditionally, OCR enforcement has been triggered by breaches.  In 2020, however, we saw a significant increase in a sub-set of Privacy Rule enforcement arising out of the U.S. Department of Health and Human Services’ Office for Civil Rights’ (OCR) patient “Right of Access” initiative. To date, OCR has published 14 Right to Access settlements, which we have addressed previously in this blog.  This time around, OCR has returned to post-breach enforcement.

Here, OCR settled an investigation of Excellus Health Plan (EHP), which includes several affiliates of the Lifetime Healthcare Companies, arising from a 2015 notice to OCR of a breach of 9.3 million peoples’ health records as the result of a hacking incident. Specifically, in 2015, after cyberattacks of other health plans, such as Anthem, EHP retained a forensic analyst to assess the company’s IT systems.  During the assessment, EHP discovered that a cyber-attack had begun in 2013 and continued until its discovery in 2015. In addition to notifying OCR, EHP notified the FBI of the cyber-intrusion.

According to OCR, in this case, cyber-attackers gained unauthorized access to EHP’s technology systems, which enabled the installation of malware and the ability to conduct reconnaissance that resulted in the extraction of information of over 9.3 million people and allowed the attacker to operate within the system for the time period.  In addition to demographic information, the breach compromised Social Security numbers, bank account information, health plan claims, and clinical treatment information.  Yet, impermissible disclosures were not the only issues that OCR found.  Among others, OCR identified potential “failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.”  Consistent with OCR’s standard practices, the settlement also included a two-year corrective action plan with OCR monitoring in addition to the $5.1 million payment.  Of course, because this matter involved a settlement, EHP inherently did not concede the alleged violations.

The OCR investigation is not the only legal action faced by EHP.   Less than 2 weeks after it filed its notice with OCR, EHP was served with class action complaints which were subsequently consolidated in one action in the United States District Court for the Western District of New York entitled, Fero, et. al. v. Excellus Health Plan Inc., et al.  The complaint alleges violations of the New York General Business Law (“GBL”) Section 349 and several state common-law claims, such as negligence, and finally seeks injunctive relief. The U.S. District Court recently denied the plaintiffs’ motion for certification of a damages class, but allowed certification of an injunctive class limited to “All individuals in the United States whose PII and/or PHI was stored in Excellus's systems between December 23, 2013  and May 11, 2015 who (1) are included in Excellus's list of Impacted Individuals and (2) whose PII and/or PHI currently resides in Excellus's systems.” How this “splitting of the baby” impacts the future of the class action is yet to be seen.  Nevertheless, it is important to note that the lawsuit against EHP is founded upon state law.  This is because HIPAA does not afford a private right of action for individuals

There are several takeaways from this most-recent enforcement action: 

  • Invest in and perform regular security risk assessments, including vulnerability and penetration testing, and of all systems and devices.  Incomplete or insufficient compliance with this HIPAA standard has been the basis for the majority of OCR’s enforcement decisions. Waiting until a notice of cyber-attacks targeting similar businesses is likely too late.  
  • Verify that IT staff or vendors are performing and reviewing information security audits that are sufficient to provide prompt notice of an intrusion.
  • Review policies to ensure that the organization has adopted and implemented appropriate policies to protect PHI.
  • HIPAA breaches almost always implicate state laws.  Monitor for compliance with applicable state laws.
  • Large breaches are typically monitored by potential plaintiffs’ counsel and there has been an increase in data breach class litigation.
  • OCR investigations typically take several years.  OCR notified EHP of its investigation in June 2016.  Notice of the initiation of the investigation was about 10 months after filing of the notice and the resolution was reached more than 4 years later. 
  • Annually review your cyber-insurance coverage to ensure adequate coverage both for OCR/state regulatory investigations and potential class actions.
  • Continued review and assessment of your HIPAA and state data privacy and security compliance plan is a good business investment.     

It is worth noting that the OCR’s Corrective Action Plan identifies the regulatory authority’s expectations for the scope of a security risk assessment:

  • “a comprehensive and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by EHP.”
  • “incorporate all EHP facilities, whether owned or rented”
  • “evaluate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by EHP or any EHP entity, that contain, store, transmit, or receive ePHI.”
  • “Prior to conducting the Risk Analysis, EHP shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis.”

Consistent with the announcement of such a large settlement, the OCR Director Roger Severino was particularly strident about the OCR’s position on breaches of this sort:

Hacking continues to be the greatest threat to the privacy and security of individuals’ health information.  In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries. . . We know that the most dangerous hackers are sophisticated, patient, and persistent.  Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.

Finally, although the timing is likely coincidental, the announcement of this Resolution Agreement came just a day after the 5th Circuit U.S. Court of Appeals announced a monumental decision that fundamentally calls into question the OCR’s enforcement approach and, in particular, OCR’s manner of imposing civil monetary penalties as a result of HIPAA violations. 

Click here for our entire coverage of all HIPAA-related content.

Related Practices

HIPAA and Healthcare Privacy Data Strategy, Security & Privacy Healthcare & Life Sciences Healthcare White Collar Defense and Investigations Digital Healthcare Healthcare Regulatory Compliance
Subscribe to Updates and Events
Click to Sign Up

Related Insights