The Excellus Health Plan (EHP) data breach from September 2015 has been investigated and an agreed upon $5.1 million dollars will be paid to the HHS. This massive breach is said to have affected over 9.3 million people over the course of an estimated year and a half.

It was revealed that attackers had gained access to EHP systems and installed malware that resulted in individual’s information, including Social Security numbers, bank account information, and clinical treatment information being disclosed.

HHS found potential violations of HIPAA Rules during their investigation. They found that EHP was not conducting thorough risk analysis, along with not reviewing system activity records, and not implementing technical policies and procedures around limiting access to ePHI to those that have been granted access.

EHP has agreed to a 2-year Corrective Action Plan, as well. The plan outlines details and timeframes for remediating the issues found. The organization will be heavily monitored while implementing the plan and will be required to submit required reports and documentation to show improvement.