Excellus agrees to pay $5 million to settle charges for breach that impacted 9.3 million patients
1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
A. The United States Department of Health and Human Services, Office for Civil
Rights (“HHS”), which enforces the Federal standards that govern the privacy
of individually identifiable health information (45 C.F.R. Part 160 and
Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that
govern the security of electronic individually identifiable health information
(45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”),
and the Federal standards for notification in the case of breach of unsecured
protected health information (45 C.F.R. Part 160 and Subparts A and D of 45
C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to
conduct compliance reviews and investigations of complaints alleging
violations of the Privacy, Security, and Breach Notification Rules (the
“HIPAA Rules”) by covered entities and business associates, and covered
entities and business associates must cooperate with HHS compliance reviews
and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
B. Lifetime Healthcare, Inc., which, for purposes of this Agreement, includes its
affiliates, Excellus Health Plan, Inc., doing business as Excellus BlueCross
BlueShield and Univera Healthcare, a New York not-for-profit health service
corporation that provides health care coverage to 1.5 million individuals in
Upstate and Western New York, The MedAmerica Companies (MedAmerica
Insurance Company, MedAmerica Insurance Company of Florida, and
MedAmerica Insurance Company of New York), and Lifetime Benefit
Solutions, Inc.; its dissolved affiliate, Genesee Valley Group Health
Association, formerly doing business as Lifetime Health Medical Group; and
its former affiliate, Genesee Region Home Care Association, Inc., doing
business as Lifetime Care (all, collectively, referred to as “EHP”), is a covered
entity, as defined at 45 C.F.R. § 160.103, and, therefore, is required to comply
with the HIPAA Rules.
C. HHS and EHP shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct.
On September 9, 2015, HHS received a breach report from EHP, notifying HHS that
cyberattackers had gained unauthorized access to its information technology systems that
included electronic protected health information (ePHI) for approximately 10 million1
individuals. On June 29, 2016, HHS notified EHP that it was initiating an investigation regard
A. The United States Department of Health and Human Services, Office for Civil
Rights (“HHS”), which enforces the Federal standards that govern the privacy
of individually identifiable health information (45 C.F.R. Part 160 and
Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that
govern the security of electronic individually identifiable health information
(45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”),
and the Federal standards for notification in the case of breach of unsecured
protected health information (45 C.F.R. Part 160 and Subparts A and D of 45
C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to
conduct compliance reviews and investigations of complaints alleging
violations of the Privacy, Security, and Breach Notification Rules (the
“HIPAA Rules”) by covered entities and business associates, and covered
entities and business associates must cooperate with HHS compliance reviews
and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
B. Lifetime Healthcare, Inc., which, for purposes of this Agreement, includes its
affiliates, Excellus Health Plan, Inc., doing business as Excellus BlueCross
BlueShield and Univera Healthcare, a New York not-for-profit health service
corporation that provides health care coverage to 1.5 million individuals in
Upstate and Western New York, The MedAmerica Companies (MedAmerica
Insurance Company, MedAmerica Insurance Company of Florida, and
MedAmerica Insurance Company of New York), and Lifetime Benefit
Solutions, Inc.; its dissolved affiliate, Genesee Valley Group Health
Association, formerly doing business as Lifetime Health Medical Group; and
its former affiliate, Genesee Region Home Care Association, Inc., doing
business as Lifetime Care (all, collectively, referred to as “EHP”), is a covered
entity, as defined at 45 C.F.R. § 160.103, and, therefore, is required to comply
with the HIPAA Rules.
C. HHS and EHP shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct.
On September 9, 2015, HHS received a breach report from EHP, notifying HHS that
cyberattackers had gained unauthorized access to its information technology systems that
included electronic protected health information (ePHI) for approximately 10 million1
individuals. On June 29, 2016, HHS notified EHP that it was initiating an investigation regard
