In its third resolution agreement of 2013, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) today announced a $1.7 million resolution agreement with WellPoint, Inc., a health insurer and managed care company.  The resolution agreement stems from WellPoint’s June 18, 2010 report to OCR regarding security weaknesses in an online application database which left the ePHI of 612,402 individuals accessible to unauthorized individuals over the Internet for almost 5 months between 2009-2010.  Information accessible included names, dates of birth, Social Security numbers, telephone numbers, and health information.    

In response to WellPoint’s report, OCR initiated its investigation into WellPoint’s compliance with the Privacy, Security, and Breach Notification Rules on September 9, 2010.  OCR’s investigation indicated the following:

  • Contrary to its obligations under the Security Rule, WellPoint failed to adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database;
  • WellPoint failed to perform an adequate technical evaluation to ensure that safeguards were in place to meet requirements of the Security Rule for an operational change – a software upgrade – whcih would affect the security of ePHI maintained in its web-based application database;
  • Between October 23, 2009 until March 7, 2010, WellPoint failed to adequately implement technology to verify persons or entities seeking access to ePHI maintained in its web-based application database;
  • During the same period of time, WellPoint impermissibly disclosed the ePHI of approximately 612,000 individuals maintained in its web-based application database. 

Directly addressed in HHS’ press release regarding the WellPoint settlement, HHS instructs covered entities and their business associates to have in place reasonable and appropriate technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of ePHI.  As previously discussed on the Data Privacy Monitor, beginning September 23, 2013, liability for HIPAA violations will extend directly to business associates that receive or store PHI.