In $1.7M WellPoint Settlement, HHS Warns Covered Entities on Change Management


On July 8, 2013, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) entered into a $1.7 million resolution agreement with WellPoint over a 2009-2010 security breach. In the resolution agreement and press release, HHS warned “[t]his case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems.” This is HHS’s third financial settlement in three months after a five-month lull coinciding with the release of the HIPAA Omnibus Rule at the beginning of 2013.

The WellPoint incident was initially reported to HHS as a breach report in June 2010. From Oct. 23, 2009, to March 7, 2010, WellPoint impermissibly disclosed the electronic protected health information, including the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information of approximately 612,000 individuals whose information was maintained in a web-based application database. Of note, the HIPAA Omnibus Rule’s definition of “disclosure” includes the “provision of access to” information. HHS likely took the position that a disclosure occurred through the provision of access to the information, as opposed to focusing on whether a third party actually obtained the information.

The resolution amount and the lack of a corrective action plan make this settlement significant. The $1.7 million resolution amount is more than quadruple the $400,000 settlement with Idaho State University for a similar matter in which ISU’s firewalls were down for a number of months. This is consistent with OCR’s history of seeking larger settlement amounts for larger organizations and larger breaches. Also, this is the first settlement without a corrective action plan.

This is not the first settlement that WellPoint has reached on this matter. The managed care company also settled with the Indiana attorney general for $100,000 in July 2011 for the same incident, although that settlement focused on an alleged delay in notification.

Covered entities and their business associates carefully should consider how to build information security into change management processes. Of particular concern are updates to web-based application or portals and information accessible over the Internet. Whether moving a facility or upgrading software, organizations should consider what systems are in place to avoid having changes lead to unmitigated risks to protected health information.


Written by:

Published In:


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.