The HHS Office for Civil Rights has fined health insurer WellPoint Inc. $1.7 million to resolve allegations of violations of the HIPAA privacy and security rules following a massive breach of protected health information between October 23, 2009 and March 7, 2010.

During that period, protected information was viewable on a Web site used to apply for individual health policies. The breach followed an upgrade to the site done by a business associate. Information that could be viewed included name, date of birth, address, Social Security number, telephone number, email address, and health and financial information.

The breach affected 612,402 individuals across the nation, according to OCR. “Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information--especially information that is accessible over the Internet,” OCR contends in a statement on resolution of the case.

An earlier investigation of the Indiana Office of Attorney General found that WellPoint on Feb. 22, 2010, received written notification of the breach from a consumer, Sarah Groveunder. WellPoint, however, did not attempt to contact Groveunder until March 4, 2010, and could not reach her at that time. On March 8, WellPoint received a class action complaint, filed on behalf of Groveunder and other affected individuals, and the breach was corrected within 12 hours. However, WellPoint did not start to notify affected individuals until June 18, 2010, and did not finish notifications until July 30. WellPoint reached a settlement agreement with Indiana and paid a $100,000 fine.

The HHS Office for Civil Rights, in the new resolution agreement with WellPoint that includes the $1.7 million fine, notes the office did not receive notification of the breach until June 18, 2010. The resolution agreement is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access