“From the time of the breach report through the investigation, there was a thorough study of the incident, and this is a negotiated settlement, which also takes time,” Rachel Seeger, senior health information privacy outreach specialist with the Office for Civil Rights, said in an interview.
WellPoint's settlement is one of the larger penalties to be levied under the HIPAA rules, though not the largest to date. In 2009, CVS Pharmacy agreed to pay $2.25 million after an investigation revealed that the pharmacy chain had not properly disposed of protected health information. But 2012 saw the most frequent imposition of heavy fines, with the Alaska Department of Health and Human Services settling for $1.7 million, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates settling for $1.5 million, and Blue Cross and Blue Shield of Tennessee agreeing to pay $1.5 million. All those were for violations of the privacy and security rules.
WellPoint was first alerted to the breach in March 2010 when a WellPoint applicant in California filed a lawsuit in the state, notifying the company that she could access personal health data of other customers. By June of that year, WellPoint had begun sending notifications to policyholders whose information had been stored in the system during the time of the breach, and offered identity protection services to those affected.
In their initial report to OCR, WellPoint determined 31,700 were affected by the breach, Seeger said. That number is still posted on the OCR's public website, known informally as the “wall of shame,” which the agency is required to maintain under a mandate from the American Recovery and Reinvestment Act of 2009. Subsequent forensic analysis of the breach determined that 612,404 individuals were affected —the number reported by the OCR in its settlement agreement announcement.
Thus far, there have been 627 incidents posted on the OCR's website since public reporting was required, beginning in September 2009. These reported incidents each involved the exposure of records of 500 or more individuals. Combined, they involve—including the updated numbers from the WellPoint breach—the disclosure of the records of nearly 22.8 million people.
Since July 2008, under the HIPAA rules, HHS has collected a total of nearly $17 million in penalties through resolution agreements, which also require certain corrective plans of the offending entities.
Follow Rachel Landen on Twitter: @MHrlanden
Follow Joseph Conn on Twitter: @MHJConn