New York Health Insurer Data Breach Settlement Proves Importance of Cybersecurity for Businesses

A data breach is every business’s worst nightmare. Not only is it costly, but it also massively damages the brand, leaving many enterprises struggling for survival. 

A case in point is New York Health Insurer, Excellus BlueCross BlueShield, which fell victim to a serious data breach several years ago. The incident was both a public relations disaster and extremely expensive from a litigation perspective. The firm recently agreed to pay out more than $5.1 million to settle a federal investigation that found that it hadn’t done enough to prevent an attack. 

The size of the breach was tremendous. Hackers accessed the health data of more than 9.3 million Excellus BlueCross BlueShield customers freely over the course of an entire year. While the New York Health Insurer had a security plan in place, federal agents did not believe that the company had done enough to ensure data integrity and security. It had also failed to follow health information privacy rules.

The Office of Civil rights said that the original in-house security plan had not gone far enough to stop hackers from roaming inside the company’s system and that the lack of oversight had endangered the privacy of millions of the company’s beneficiaries. 

According to records, the New York data breach began in December 2013, but it took the company more than a year to get the hackers out of the system. During that time, they collected personal information, names, addresses, email addresses, bank details, social security numbers, bank account information, and past health insurance claims—information that they could easily use for fraud. 

Excellus was rattled by the experience but responded by making amends to its security policy. Soon after the news went public, the insurer said that it had learned a lot from the cyberattack and was now using a cybersecurity provider to monitor their data for them. 

In many ways, Excellus was lucky to emerge from the situation in the way that it did. While the fines were large, the company was eventually able to turn things around. Federal investigators believed that it had violated multiple HIPAA rules and that it had failed to implement a proper risk-management system. But the new policies now means that the company is one of the most protected in the industry. 

This episode highlights the importance of choosing to outsource cybersecurity. One IT company in Westchester points out that “use of technology can make or break your business.” And in the case of insurance companies—or any brand that holds personal information about customers—that’s certainly true. 

Excellus’s mistake was that it didn’t take cybersecurity issues seriously enough. It continued processing customer data, without really considering the risks that it faced from hackers or taking action to prevent them from gaining access to information. 

The state is taking an increasingly tough line on data security, and its efforts will likely ramp up under the new administration. That means that breaches in the future are likely to lead to even more brand damage and costly litigation.