On July 11, 2013, WellPoint, Inc. (“WellPoint”) entered into a Resolution Agreement (the “Agreement”) with the U.S. Department of Health and Human Services (“HHS”) to pay $1,700,000 to settle alleged privacy and security violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Agreement does not contain a Corrective Action Plan. It also clarifies that the Agreement is not an admission of liability by WellPoint.
Between October 2009 and March 2010, WellPoint experienced a potential HIPAA Breach. The Company notified the HHS Office for Civil Rights (“OCR”) on June 18, 2010 that its online application database appeared to have certain security weaknesses that left the electronic Protected Health Information (“ePHI”) of approximately 612,000 individuals accessible to unauthorized users over the Internet for about five months. That ePHI included names, dates of birth, addresses, Social Security numbers, phone numbers, and health information.
Following WellPoint’s Breach report, on September 9, 2010, OCR initiated an investigation of the Covered Entity, which revealed the following:
- WellPoint did not implement adequate policies and procedures to safeguard access to its online database;
- WellPoint did not conduct a sufficient technical evaluation of potential security risks following a software upgrade;
- Between October 23, 2009, and March 7, 2010, WellPoint did not implement sufficient technology to verify users accessing ePHI in its application database; and
- Between October 23, 2009, and March 7, 2010, WellPoint impermissibly disclosed ePHI of approximately 612,000 individuals.
This settlement illustrates both the trend towards heightened enforcement of the HIPAA Privacy and Security Rules as well as the importance for those entities subject to HIPAA to perform security analyses and to implement security protections when modifying and/or updating their information systems.