Syracuse, N.Y. – Excellus BlueCross BlueShield has agreed to pay $5.1 million to settle a federal investigation that found the insurer may not have done enough to prevent hackers from obtaining private information about more than 9.3 million people in a cyberattack discovered in 2015.
The Office for Civil Rights at the U.S. Department of Health and Human Services announced that Excellus agreed to make the payment to settle potential violations of federal health information privacy rules. As part of the settlement, Excellus also agreed to take corrective action to strengthen the security of its customers’ private medical information.
“In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” Roger Severino, director of the Office of Civil Rights, said in a prepared statement.