Wellpoint Agrees to $1.7 Million Settlement for HIPAA Violations

Wellpoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policy holders across the United States. Between October 23, 2009 and March 7, 2010 part of its database of policy holders was accessible to unauthorized individuals.

The security breach was brought to the attention of Wellpoint in March 2010 when a lawsuit was filed in California by an applicant who discovered it was possible to access the electronic Protected Health Information of Wellpoint policy holders. Wellpoint took rapid action to restrict access and began an investigation into the data security breach.

It determined that the personal health data was accessible to unauthorized third parties although it was limited to 31,700 individuals. Names, addresses and contact details were accessible along with health information and social security numbers.

HIPAA demands that breach notifications are sent to all those affected by a security breach to enable them to take action to mitigate any damage caused. The company complied with these regulations and sent notifications informing all those affected by the security breach. It also offered credit monitoring services to all those affected to help mitigate any damage caused.

As demanded by the Health Information Technology for Economic and Clinical Health Act, Wellpoint issued a breach notification informing the Office for Civil rights of the security breach. The security breach was published on the OCR’s website (as required by American Recovery and Reinvestment Act of 2009) and the OCR conducted an investigation.

Under HIPAA regulations, “appropriate administrative, technical and physical safeguards” must be put in place to ensure that access to ePHI is restricted to authorized personnel only. The OCR determined that the security breach was caused as a result of a failure to implement these safeguards. In a recent announcement, the OCR confirmed that a settlement has been reached with Wellpoint for $1.7 million for the HIPAA violations.

The OCR also announced that during the course of the investigation it conducted a forensic analysis of the data breach and determined that the personal health information of 612,404 persons were exposed in the breach, and not 31,700 as reported by Wellpoint. The OCR website is still showing the data breach as having affected 31,700 individuals on its “wall of shame”, the figure detailed in the original report.
With this 600K breach the total number of people affected by HIPAA breaches is almost 22.8 million.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.