WellPoint Portal Breach Incurs $1.7 million in Fines
WellPoint Inc. will pay a $1.7 million fine to settle potential HIPAA Privacy Rule violations, according to a statement from the US Department of Health and Human Services. The department’s Office for Civil Rights (OCR) opened an investigation into the managed care company after WellPoint informed OCR that electronic protected health information (ePHI) of 612,402 people was left accessible to unauthorized individuals via an online portal.
WellPoint’s reporting of the breach is mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The company first learned of the breach in March of 2010. OCR’s investigation revealed that WellPoint did not have proper technical safeguards implemented, which are typically designed to verify the identity of the person or entity seeking access to ePHI in a database, as required under HIPAA.
As a result, between October 23, 2009 and March 7, 2010, unauthorized individuals had access to data including WellPoint members’ names, birthdates, addresses, Social Security numbers, telephone numbers, and health information, according to HHS.
OCR also determined that WellPoint failed to perform an appropriate technical evaluation in response to a software upgrade to its information systems, and did not sufficiently institute policies and procedures for authorizing access to the online application database.