WellPoint to Pay $1.7 Million Settlement

Website Glitch Exposed Information on 612,000
WellPoint to Pay $1.7 Million Settlement

Insurer WellPoint has agreed to a $1.7 million settlement with the Department of Health and Human Services in a HIPAA case stemming from a website data breach that may have exposed information on more than 612,000 individuals.

See Also: Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

The HHS Office for Civil Rights says its investigation into the WellPoint breach focused on security weaknesses in an online insurance application tracker database that left the electronic protected health information of more than 612,000 individuals temporarily accessible to unauthorized individuals over a website. That data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

The incident resulted in a number of lawsuits.

When it revealed the breach, WellPoint indicated the incident was caused by a temporary security lapse for the application tracker program during a system upgrade by a third-party vendor.

"This case sends an important message to HIPAA covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to web-based applications or portals that are used to provide access to consumers' health data using the Internet," says an OCR statement announcing the settlement.

OCR's investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.

Case Details

According to the resolution agreement, on June 18, 2010, HHS received notification from WellPoint regarding a breach. On Sept. 9, 2010, HHS notified WellPoint that it was investigating WellPoint's compliance with HIPAA.

The HHS investigation determined that, between Oct. 23, 2010 and March 7, 201, WellPoint:

  • Did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the HIPAA Security Rule.
  • Did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database;
  • Did not adequately implement technology to verify the identity of a person or entity seeking access to ePHI maintained in its web-based application database;
  • Impermissibly disclosed the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database.< li>

The agreement is not an admission of liability by WellPoint, according to the settlement document. But the agreement also is not a concession by HHS that WellPoint has not violated the HIPAA privacy or security rules or that WellPoint is not liable for civil money penalties, OCR notes.

The resolution agreement also does not disclose steps that WellPoint is taking to correct the security and privacy issues. It does not include a "corrective action plan" as is common in other settlements, an OCR spokesperson confirmed.

In a statement, WellPoint notes: "As soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again. We also provided the appropriate notifications as required by state and federal regulations. In addition, we provided credit monitoring and identity theft insurance to all individuals who were potentially impacted. We are not aware of any fraud or identity theft that has occurred as a result of this incident."

HHS, in its statement announcing the settlement, gave a warning to covered entities and business associates about HIPAA compliance as the enforcement deadline of HIPAA Omnibus Rule approaches.

"Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information - especially information that is accessible over the Internet," the statement says. "Beginning Sept. 23, 2013, liability for many of HIPAA's requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors."

Other Recent Settlements

OCR has been ramping up HIPAA enforcement with a number of settlements in the last year. Those include:


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.