WellPoint Security Breach Leads to $1.7 Million HIPAA Penalty

Due to violations of the privacy and security rules under HIPAA, WellPoint has agreed to pay a $1.7 million penalty to the United States Department of Health and Human Services (HHS). Between October 2009 and March 2010, personal information including names, dates of birth, addresses, Social Security numbers, telephone numbers, and other health information were available to unauthorized users due to online security weakness.

The HHS’s Office of Civil Rights launched an investigation of WellPoint’s information systems after WellPoint submitted a breach report to HHS in 2010. The investigation indicated WellPoint did not:
• adequately implement policies and procedures for authorizing access to the on-line application database • perform an appropriate technical evaluation in response to a software upgrade to its information systems • have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

While WellPoint’s initial breach report suggested that approximately 31,700 people were affected by the breach, the final number in the settlement agreement was 612,402 affected individuals. To date, there have been 627 incidents of unauthorized user access. Combined, the breach has involved the disclosure of the records of nearly 22.8 million people.

With this penalty, WellPoint joins the ranks of CVS Pharmacy, Alaska Department of Health and Human Services, Massachusetts Eye and Ear Infirmary and Blue Cross Blue Shield of Tennessee, all of whom have paid penalties over $1.5 million to HHS for HIPAA privacy and security violations since 2009.

For the Office of Civil Rights’ press release regarding the settlement, click here.

For more information about WellPoint’s HIPAA penalty or other HIPAA matters, contact Abby Pendleton, Esq. or Clinton Mikel, Esq. at (248) 996-8510.