Late News: WellPoint takes a hit

WellPoint is set to crash two Top 10 lists—the number of members' records exposed in a security breach, and the size of the federal settlement amount paid as a result.WellPoint, which claims 36 million covered lives through its affiliated health plans, has agreed to pay a $1.7 million penalty to HHS for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996, stemming from a 2010 incident.

During an investigation of WellPoint's information systems, HHS' Office for Civil Rights found that the Indianapolis-based insurer had not enacted appropriate administrative, technical and physical safeguards for data as required by HIPAA.

WellPoint's case will become one of the largest medical records breaches kept by OCR, once that agency, which negotiated the settlement agreement, updates its public “wall of shame” breach list to reflect the magnitude of the breach that occurred sometime between Oct. 23, 2009 and March 7, 2010.

In its initial report to OCR, WellPoint determined 31,700 persons were affected by the breach, according to OCR spokeswoman Rachel Seeger. Subsequent forensic analysis of the WellPoint breach determined that 612,404 individuals were affected, Seeger said, and that's the number reported by the OCR in its settlement agreement announcement.

Thus far, there have been 627 incidents posted on the OCR's website since public reporting was required, beginning in September 2009. These publicly reported incidents each involved the exposure of records of 500 or more individuals. Combined, they exposed the records of nearly 22.8 million people.

In addition to those on the public list, the civil rights office has received more than 81,000 reports of breaches involving fewer than 500 individuals' records that are not individually reported to the public. Combined, these lesser breaches have affected more than 915,000 individuals, according to Seeger.

Three of the five largest breaches were public or private healthcare plans or coverage providers. The biggest case involved TRICARE Management Activity, the military health plan administrator, with 4.9 million records lost on backup tape reels that were stolen from the car of an employee of a business associate, SAIC, in Sept. 2011.

The WellPoint incident ranks tenth in size. It exposed the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information to unauthorized users as the result of online security weaknesses, HHS said Thursday.

The investigation of the WellPoint incident by OCR was prompted when the insurer submitted a breach report in 2010 to HHS, a requirement under the Health Information Technology for Economic and Clinical Health Act whenever a violation of health information occurs.

“From the time of the breach report through the investigation, there was a thorough study of the incident, and this is a negotiated settlement, which also takes time,” Seeger said in an interview.

WellPoint's settlement is also one of the larger penalties to be levied under the HIPAA rules, though not the largest to date. In 2009, CVS Pharmacy agreed to pay $2.25 million after an investigation revealed that the pharmacy chain had not properly disposed of protected health information. In 2012, the Alaska Department of Health and Human Services settled for $1.7 million, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates for $1.5 million, and Blue Cross and Blue Shield of Tennessee for $1.5 million. All those were for violations of the privacy and security rules.

WellPoint was first alerted to the breach in March 2010 when a WellPoint applicant in California filed a lawsuit in the state, notifying the company that she could access personal health data of other customers. By June of that year, WellPoint had begun sending notifications to policyholders whose information had been stored in the system during the time of the breach, and offered identity protection services to those affected.

Since July 2008, under the HIPAA rules, HHS has collected a total of nearly $17 million in penalties through resolution agreements, which also require certain corrective plans of the offending entities.

Follow Joseph Conn on Twitter: @MHJConn

Follow Rachel Landen on Twitter: @MHrlanden