Indiana AG Sues WellPoint over HIPAA Breach

Greg Zoeller, the Indiana Attorney General has taken action against a violator of HIPAA laws and has filed a lawsuit against WellPoint for breach notification failures following the 32,000-record data breach it discovered on March 8, of this year.

Even with the very best security systems, data breaches still occur. In this case however, the breach was the result of human error. The lawsuit has been filed not for the disclosure of Protected Health Information, but the tardy breach response.

HIPAA and Two Indiana State Laws Violated

The lawsuit has been filed under state laws, with the suit claiming Wellpoint violated two separate breach notification laws in Indiana by failing to notify the Attorney General and patients that their information had potentially been compromised in a reasonable time frame. Under state laws the Attorney General’s office can fine organizations that fail to comply with data protection laws, with each of the two violations WellPoint committed carrying a maximum penalty of $150,000. A fine of £300,000 could therefore be issued.

In July 2009, the state passed a new data breach law to supplement current state legislation covering the notification of individuals after their personal information has been disclosed in a security breach. As with HIPAA, organizations must notify patients within “a reasonable amount of time,” while state laws require the AG to be notified as well. After an investigation into the incident was conducted, the AG’s office determined that the breach response was unnecessarily delayed.

The breach law was only passed last year, so the AG has so far not issued any fines to organizations that have delayed the sending of notifications. This is the first time a lawsuit has been filed under the new law.

Over Three Months to Issue Breach Notifications

The Attorney General was notified about WellPoint’s data breach in June, although not via a breach report submitted by WellPoint, but in a news report in the Star Tribune. This was more than three months after the data breach was discovered, and it took until June 18 before breach notification letters started to be sent to affected individuals.

Under HIPAA Rules, covered entities must notify breach victims and the Department of Health and Human Services’ Office for Civil Rights within 60 days of discovery of a breach involving more than 500 records.

In addition to the AG lawsuit, Wellpoint may be investigated by the OCR and it could be penalized under HIPAA laws. The OCR is permitted to issue fines up to $1.5 million for HIPAA violations involving willful neglect. Since data breach notifications are clear, and ignorance is not a valid defense, WellPoint could have to cover a substantial bill for failing to issue notifications.

The company has already settled with the Connecticut AGs office for exposing the data of 5,600 residents in the breach and the total number of individuals affected is understood to be 470,000.

The data breach was caused during an upgrade of the company’s authentication and log-ion application website after security protections were not implemented. The data remained on an insecure website from October, 2009 until the issue was discovered in March, 2010. During that time it was possible for unauthorized individuals to access the data of patients. It was not just Indiana residents who have been affected. In total, victims living in 9 U.S. states have had their data potentially viewed by unauthorized individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.