WellPoint to Pay $1.7 Million SettlementWebsite Glitch Exposed Information on 612,000
Insurer WellPoint has agreed to a $1.7 million settlement with the Department of Health and Human Services in a HIPAA case stemming from a website data breach that may have exposed information on more than 612,000 individuals.
The HHS Office for Civil Rights says its investigation into the WellPoint breach focused on security weaknesses in an online insurance application tracker database that left the electronic protected health information of more than 612,000 individuals temporarily accessible to unauthorized individuals over a website. That data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.
The incident resulted in a number of lawsuits.
When it revealed the breach, WellPoint indicated the incident was caused by a temporary security lapse for the application tracker program during a system upgrade by a third-party vendor.
"This case sends an important message to HIPAA covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to web-based applications or portals that are used to provide access to consumers' health data using the Internet," says an OCR statement announcing the settlement.
OCR's investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.
According to the resolution agreement, on June 18, 2010, HHS received notification from WellPoint regarding a breach. On Sept. 9, 2010, HHS notified WellPoint that it was investigating WellPoint's compliance with HIPAA.
The HHS investigation determined that, between Oct. 23, 2010 and March 7, 201, WellPoint:
- Did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the HIPAA Security Rule.
- Did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database;
- Did not adequately implement technology to verify the identity of a person or entity seeking access to ePHI maintained in its web-based application database;
- Impermissibly disclosed the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database.< li>
The agreement is not an admission of liability by WellPoint, according to the settlement document. But the agreement also is not a concession by HHS that WellPoint has not violated the HIPAA privacy or security rules or that WellPoint is not liable for civil money penalties, OCR notes.
The resolution agreement also does not disclose steps that WellPoint is taking to correct the security and privacy issues. It does not include a "corrective action plan" as is common in other settlements, an OCR spokesperson confirmed.
In a statement, WellPoint notes: "As soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again. We also provided the appropriate notifications as required by state and federal regulations. In addition, we provided credit monitoring and identity theft insurance to all individuals who were potentially impacted. We are not aware of any fraud or identity theft that has occurred as a result of this incident."
HHS, in its statement announcing the settlement, gave a warning to covered entities and business associates about HIPAA compliance as the enforcement deadline of HIPAA Omnibus Rule approaches.
"Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information - especially information that is accessible over the Internet," the statement says. "Beginning Sept. 23, 2013, liability for many of HIPAA's requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors."
Other Recent Settlements
OCR has been ramping up HIPAA enforcement with a number of settlements in the last year. Those include:
- A $400,000 penalty in May against Idaho State University's Pocatello Family Medicine Clinic in a case involving a disabled server that exposed data of 17,500 patients;
- A $1.5 million penalty in September 2012 against Massachusetts Eye and Ear Infirmary related to the theft of an unencrypted laptop; and
- A $1.7 million penalty in June 2012 against the Alaska Department of Health and Social Services in a case involving a small breach that led to an OCR investigation uncovering a number of HIPAA compliance deficiencies.