The agreement settles potential violations of privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) related to a hack affecting more than 9.3m people dating back almost a decade.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information,” said OCR Director Roger Severino.

“In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries.

“We know that the most dangerous hackers are sophisticated, patient and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

In September 2015, Excellus announced cyber-attackers had gained unauthorised access to its IT systems. The breach began on or before 23 December 2013 and ended on 11 May 2015.

The hackers installed malware which resulted in impermissible disclosure of protected health information of the 9.3m-plus people, including their names, addresses, dates of birth, email addresses, social security numbers, bank account information, health plan claims and clinical treatment information, said the department of health and human services, which the OCR is part of.

The OCR’s investigation found potential violations of HIPAA’s rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, an information system activity review and access controls.

Excellus Health Plan provides health insurance coverage to more than 1.5m people in upstate and western New York state.