Managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential HIPAA Privacy and Security Rule violations committed in 2009 and 2010.  

As so often happens, HHS OCR began its investigation following a self-report of the breach by WellPoint.  That report “indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.”  Based on its investigation, HHS OCR concluded that WellPoint had failed to:

  • “adequately implement policies and procedures for authorizing access to the on-line application database”
  • “perform an appropriate  technical evaluation in response to a software upgrade to its information systems”
  • “have technical  safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.”

As a result of these shortcomings, for just over four months (beginning on October 23, 2009 and continuing until March 7, 2010), OCR concluded that WellPoint “impermissibly disclosed the ePHI of 612,402 individuals by allowing access to the ePHI of such individuals maintained in the application database. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.”  HHS OCR believes that:

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

It is curious, however, that this matter took so long — over three years from the complaint reporting the breach — to resolve.

HHS OCR has issued a relatively standard press release regarding the settlement and published the Resolution Agreement on its website.  It does not appear that any type of compliance agreement with HHS OCR was entered into by Wellpoint.

*   *   *

“A billion here, a billion there, and pretty soon you’re talking real money.”  (This quote, although attributed to Senator Everett Dirksen of Illinois, has never been formally documented.)