WellPoint, which serves nearly 36 million people through its affiliated health plans, has agreed to pay a $1.7 million penalty to HHS
for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996
Between Oct. 23, 2009, and March 7, 2010, access to personal data for 612,402 people—their names, dates of birth, addresses, Social Security numbers, telephone numbers and health information—was made available to unauthorized users as the result of online security
During an investigation of WellPoint's
information systems, HHS' Office for Civil Rights found that the Indianapolis-based insurer had not enacted appropriate administrative, technical and physical safeguards for data as required by HIPAA.
The investigation by OCR was prompted when WellPoint submitted a breach report in 2010 to HHS, a requirement under the Health Information Technology for Economic and Clinical Health Act whenever a violation of health information occurs.
“From the time of the breach report through the investigation, there was a thorough study of the incident, and this is a negotiated settlement, which also takes time,” Rachel Seeger, senior health information privacy
outreach specialist with the Office for Civil Rights, said in an interview.
WellPoint's settlement is one of the larger penalties to be levied under the HIPAA rules, though not the largest to date. In 2009, CVS Pharmacy agreed to pay $2.25 million after an investigation revealed that the pharmacy chain had not properly disposed of protected health information. But 2012 saw the most frequent imposition of heavy fines, with the Alaska Department of Health and Human Services settling for $1.7 million, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates settling for $1.5 million, and Blue Cross and Blue Shield of Tennessee agreeing to pay $1.5 million. All those were for violations of the privacy and security rules.
WellPoint was first alerted to the breach in March 2010 when a WellPoint applicant in California filed a lawsuit in the state, notifying the company that she could access personal health data of other customers. By June of that year, WellPoint had begun sending notifications to policyholders whose information had been stored in the system during the time of the breach, and offered identity protection services to those affected.
In their initial report to OCR, WellPoint determined 31,700 were affected by the breach, Seeger said. That number is still posted on the OCR's public website, known informally as the “wall of shame,” which the agency is required to maintain under a mandate from the American Recovery and Reinvestment Act of 2009. Subsequent forensic analysis of the breach determined that 612,404 individuals were affected —the number reported by the OCR in its settlement agreement announcement.
Thus far, there have been 627 incidents posted on the OCR's website since public reporting was required, beginning in September 2009. These reported incidents each involved the exposure of records of 500 or more individuals. Combined, they involve—including the updated numbers from the WellPoint breach—the disclosure of the records of nearly 22.8 million people.
Since July 2008, under the HIPAA rules, HHS has collected a total of nearly $17 million in penalties through resolution agreements, which also require certain corrective plans of the offending entities.Follow Rachel Landen on Twitter: @MHrlandenFollow Joseph Conn on Twitter: @MHJConn