Excellus Blue Cross and Blue Shield to pay $5.1M HIPAA penalty
Excellus Health Plan, which does business as Excellus Blue Cross and Blue Shield, has agreed to pay HHS’ Office for Civil Rights $5.1 million to resolve alleged HIPAA violations.
The fine settles possible HIPAA violations stemming from a data breach the New York-based health insurer reported to OCR in September 2015, in which cyberattackers gained access to Excellus’ information technology systems from at least December 2013 to May 2015. The data breach compromised data on more than 9.3 million people.
Excellus in 2015 said the data breach affected an estimated 7 million Excellus members and an estimated 3.5 million members with non-Blues affiliates of its holding company, Lifetime Healthcare Cos.
In an investigation into the breach, OCR identified possible HIPAA violations including Excellus not conducting risk analyses and not implementing risk management processes.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” said thenOCR Director Roger Severino in a statement. “In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries.”
The $5.1 million penalty marks the first breach-related HIPAA settlement from OCR this year. The largest HIPAA settlement reached by the office last year was a
$6.85 million fine levied on Premera Blue Cross, which also marked the second-largest fine resolving possible HIPAA violations in OCR’s history, after a $16 million fine paid by Anthem in 2018.
In addition to the monetary settlement, Excellus will implement a corrective action plan that includes HHS monitoring the insurer’s compliance with HIPAA for
● two years.
Providence has named its interim chief financial officer to the permanent C-suite position. Greg Hoffman has served in the interim role since August 2020. The Renton, Wash.-based health system said his promotion was effective last week.
Hoffman replaces Venkat Bhamidipati, a former Microsoft executive who served as CFO for three years before leaving for a role as CFO at computer security company McAfee. Before becoming interim CFO, Hoffman was Providence’s chief transformation officer. In that role, he worked to modernize administrative and care delivery services. The health system said Hoffman has helped integrate financial planning functions like budgeting, cost accounting and productivity.
Providence CEO Dr. Rod Hochman said in a statement that effective financial stewardship is essential to advancing the not-for-profit health system’s mission. Before joining Providence, Hoffman held leadership roles at Visa and T-Mobile. He also worked for Hewlett-Packard and Deloitte Consulting.
Hoffman takes over at a precarious time for a health system that’s been hard hit by the COVID-19 pandemic. Providence posted an operating loss of $214 million on $18.9 billion in revenue in the nine months ended Sept. 30, a 1.1% loss margin. That’s despite having recognized $682 million in federal relief grants during that period. The health system’s admissions were down more than 12% year-over-year in the period.
Providence also announced two new regional leadership roles responsible for the northern and southern portions of its seven-state footprint. Lisa Vance, currently chief executive of Oregon, will become president of operations and strategy for the northern regions that Providence serves: Alaska, Montana, Oregon and Washington. She’ll continue to serve as chief executive for the Oregon region.
Erik Wexler, currently chief executive of Southern California, will become president of operations and strategy for the southern region, which includes Northern California, Southern California, New Mexico and Texas.