On July 8, 2013, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) entered into a $1.7 million resolution agreement with WellPoint over a 2009-2010 security breach. In the resolution agreement and press release, HHS warned “[t]his case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems.” This is HHS’s third financial settlement in three months after a five-month lull coinciding with the release of the HIPAA Omnibus Rule at the beginning of 2013.
The WellPoint incident was initially reported to HHS as a breach report in June 2010. From Oct. 23, 2009, to March 7, 2010, WellPoint impermissibly disclosed the electronic protected health information, including the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information of approximately 612,000 individuals whose information was maintained in a web-based application database. Of note, the HIPAA Omnibus Rule’s definition of “disclosure” includes the “provision of access to” information. HHS likely took the position that a disclosure occurred through the provision of access to the information, as opposed to focusing on whether a third party actually obtained the information.
The resolution amount and the lack of a corrective action plan make this settlement significant. The $1.7 million resolution amount is more than quadruple the $400,000 settlement with Idaho State University for a similar matter in which ISU’s firewalls were down for a number of months. This is consistent with OCR’s history of seeking larger settlement amounts for larger organizations and larger breaches. Also, this is the first settlement without a corrective action plan.
This is not the first settlement that WellPoint has reached on this matter. The managed care company also settled with the Indiana attorney general for $100,000 in July 2011 for the same incident, although that settlement focused on an alleged delay in notification.
Covered entities and their business associates carefully should consider how to build information security into change management processes. Of particular concern are updates to web-based application or portals and information accessible over the Internet. Whether moving a facility or upgrading software, organizations should consider what systems are in place to avoid having changes lead to unmitigated risks to protected health information.