Lepide Blog: A Guide to IT Security, Compliance and IT Operations

How Excellus Could Have Avoided the $5.1m HIPAA Violation Penalty

How Excellus Could Have Avoided the $5.1m HIPAA Violation Penalty

In January 2021, an American Health insurer by the name of Excellus agreed to pay over $5.1 million to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) in a settlement after violating the Health Insurance Portability and Accountability Act (HIPAA).

Excellus Data Breach

The violation in question relates to a data breach that resulted in the sensitive data of over 9.3 million people being leaked over the course of 17 months. In the official breach report that Excellus filed back in September 2015, it is stated that cyber-attackers gained unauthorized access to the company’s information technology systems.

The breach went exactly as most targeted cyber-attacks do. The attackers gained access, installed malware, conducted reconnaissance, and, ultimately, disclosed the PHI of more than 9.3 million individuals.

Now, sensitive data, as we know, is a valuable commodity. Protected Health Information (PHI) is another level of sensitivity. If PHI is stolen, an attacker could theoretically steal the individual’s identity. If PHI is lost or modified in some way, it could have real world effects on patient health. Just last year, we saw homicide charges brought against attackers that caused the death of a patient in Germany. Cyberattacks in the healthcare industry are serious, and so the large settlement figure is no surprise.

Data breaches are, in many ways, inevitable. Attackers are too smart; they adapt too quickly, and they are too determined to beat. What concerns me, is that the OCR’s investigation into the security incident found numerous violations of HIPAA, including “failures to implement risk management, information system activity review, and access controls and failure to conduct an enterprise-wide risk analysis.

This is simple stuff, and it is something that every company that deals with any form of sensitive data should already be doing. Its criminal that this is still not always the case.

Why Excellus violated HIPAA and how it can be avoided

In this blog, we will quickly go through the reasons why Excellus violated HIPAA and explain how future HIPAA violations can be avoided.

Implementing Risk Management

Information security risk management is a process by which information is protected by identifying threats and mitigating risks. Essentially, it requires organizations to identify what the risks to their sensitive data are and determine what actions need to be taken to mitigate them.

There are several frameworks available to help you define your ISRM plan. One of which, the NIST framework, essentially breaks the strategy down into six key steps: identify, protect, detect, respond, and recover.

For more information on what ISRM is and how to do it, visit this blog we wrote in 2020.

Appropriate Access Controls

Something that should be common sense in theory but can be difficult at times to implement in practice. Access controls determine how your users can interact with your environment and sensitive data.

As a general rule of thumb, users should only be given access to the data that they need to do their job, nothing more. This is known as the principle of least privilege. Whenever access controls change, security teams need to be aware of how it affects access to sensitive data. Have users with excessive levels of permissions been created? If so, how was the access granted and how can you revoke it?

Beyond that, if there are users in your business that require legitimate access to sensitive data, they need to be monitored closely using behavioral analysis, anomaly spotting and change auditing.

For more information on how to manage and monitor access controls, check out this blog we wrote in 2020.

Conducting Risk Assessments

Data security risk assessments need to be carried out regularly, as they are vital in ensuring that you can establish current security gaps and recommend remediation for data breach prevention. HIPAA is just one of the many compliance regulations that mandate risk assessments or risk analyses as a fundamental part of security strategy.

In essence, a successful risk assessment will do the following:

  1. Identify what the risks are too sensitive data and security states.
  2. Identify and organize data by the weight of risk associated with it.
  3. Take action to mediate risks.

For a detailed look at how to implement a data security risk assessment, read this blog we wrote back in 2020.

Ultimately, if you don’t have a Data Security Platform in place already, a lot of this is going to be too time-consuming, complex and noisy to be able to perform on a regular basis. And compliance mandates, like HIPAA, require speed and regularity to be successful.

If you’d like to see how the Lepide Data Security Platform can help you implement appropriate access controls, manage and assess risk, schedule a demo with one of our engineers.