The U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) on Jan. 15 fined Excellus Health Plan $5.1 million and ordered it to implement a corrective action plan for failures relating to a 2015 data breach that exposed the personal information of 9.3 million individuals.

In September 2015, Excellus filed a breach report notifying HHS that cyber-attackers had gained unauthorized access to its IT systems beginning around December 2013 and ending in May 2015. The hackers installed malware that resulted in the disclosure of protected health information, including individuals’ names, addresses, dates of birth, e-mail addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.

Compliance failures: The OCR’s investigation found potential violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, including failure to conduct an enterprise-wide risk analysis and system activity review.

Remediation measures: According to the resolution agreement, as part of its corrective action plan, Excellus “shall conduct a comprehensive and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of the electronic protected health information it holds. The company must also “develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis,” including a process and timeline for its implementation, evaluation, and revision of its risk remediation activities.

Excellus will be subject to a two-year monitoring period.