On July 11, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $1.7 million settlement with WellPoint Inc. following a security breach that affected over 600,000 individuals.
The WellPoint settlement relates to an Internet-based application database that was not properly secured, resulting in the online exposure of health insurance applicants’ electronic protected health information (“ePHI”), including names, addresses and Social Security numbers, for a period of six months from October 2009 to March 2010. Following the submission of a breach report to the HHS Office for Civil Rights (“OCR”), an investigation determined that WellPoint had not complied with HIPAA Privacy and Security Rule requirements. Specifically, WellPoint had failed to (1) adequately implement policies and procedures to authorize access to ePHI in the database, (2) perform an adequate technical evaluation following a software upgrade that affected the database, and (3) maintain technical safeguards to verify the identity of persons seeking access to ePHI in the database.
Pursuant to the resolution agreement, WellPoint has agreed to pay $1.7 million to HHS to settle the potential violations. Unlike other enforcement actions taken by OCR, however, the resolution agreement with WellPoint does not include an attached Corrective Action Plan. There was no indication in the resolution agreement of why the Corrective Action Plan was omitted in this case.
In the press release announcing the settlement, HHS noted that the action “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.” In a not-so-subtle hint of OCR’s future intentions, the press release also mentioned that “Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.” The WellPoint settlement comes less than a month after a $275,000 settlement with Shasta Regional Medical Center and less than two months after a $400,000 settlement with Idaho State University.