New York health insurer Excellus Health Plan Inc will pay $5.1 million to resolve possible violations of federal health privacy and security rules related to a cyberattack the company discovered in 2015, the U.S. Department of Health and Human Services said Friday.
Rochester-based Excellus also agreed to take corrective actions under the settlement with the HHS Office for Civil Rights (OCR).
Excellus reported in 2015 that hackers had gained unauthorized access to its computer systems, ultimately leading to the disclosure of more than 9.3 million individuals’ protected health information, the agency said.