On July 11, the U.S. Department of Health and Human Services announced that health insurer Wellpoint Inc. has agreed to pay the sum of $1.7 million to settle claims that it violated the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). An improperly secured online database caused the electronic protected health information (ePHI) of 612,402 Wellpoint customers to be potentially vulnerable to unauthorized access, although the company said that it did not believe that any fraud or identity theft had occurred due to the breach.

WellPoint had self-reported the breach to HHS in 2010. In its investigation, HHS determined that Wellpoint had failed to:

  • adequately implement policies and procedures to authorize access to the online database,

  • perform an appropriate technical evaluation in response to a software upgrade to its information systems, or 

  • have technical safeguards in place to verify the person or entity seeking access to the ePHI maintained in the database.

In its statement, HHS said, “This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”

WellPoint’s settlement is the latest in a series of recent similar payments arising out of data breaches by covered entities under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which made HIPAA’s requirements directly applicable to “business associates” of covered entities.

Click here for a complete copy of the Update.