An American health insurance provider He agreed to pay $ 5,1 million in the Office of Civil Rights (OCR), at the Ministry of Health and Human Services USA (HHS) for data breach that led to a possible infringement of the Law on portability and accountability for health insurance (HIPAA).
The provider security health is the Excellus Health Plan, Inc. and the fine he is required to pay is related to a infringement data which lasted 17 months and is said to have influenced more than 9,3 million people.
Excellus is headquartered in New York and provides services and health insurance for more than 1,5 million people in upstate and western New York.
According to the investigations, the violation started on December 23, 2013 (or earlier) and continued until May 11, 2015. The attackers entered the systems of the health insurance provider and installed malware, which allowed them to acquire access to personal information and health information 9,3 million people.
Items on display included: names, addresses, dates of birth, addresses e-mail, social security numbers, bank account details, health plans and treatment information.
The investigation of the Office of Civil Rights found possible violations of HIPAA rules, such as failures in risk management, in reviewing the activity of information systems, etc.
According to Roger Severino, director of OCR, the hacking is the biggest threat to privacy and safety of individuals' health information. In the case of Excellus, the attackers were in the systems for more than a year, endangering millions of people who had chosen this particular health insurance provider.
"We know the most dangerous hackers they are sophisticated, patient and persistent. Healthcare providers need to protect people's privacy and health information from this growing threatSaid Severino.
In addition to the fine, Excellus agreed to implement a corrective action plan that would include monitoring services to customers for two years.
Source: Infosecurity Magazine