On January 15, 2021, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced that Blue Cross Blue Shield subsidiary Excellus Health Plan, Inc. has agreed to a $5.1 million settlement for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, and has additionally agreed to implement a Corrective Action Plan.
In September 2015, Excellus filed a data breach report, announcing that hackers had gained unauthorized access to the company’s information technology systems between December 2013 and May 2015. The hackers installed malware into Excellus’ systems, which released the personal health information (PHI) of nearly 9.3 million individuals.