On July 11, 2013, the U.S. Department of Health and Human Services (HHS) announced that it had reached a $1.7 million dollar resolution agreement with insurer WellPoint Inc., following a security breach that left the personal information of 612,402 individuals exposed and available to unauthorized computer users. Between October 23, 2009, and March 7, 2010, access to protected health information, including the names, dates of birth, addresses, social security numbers, and health information of applicants was made vulnerable after a system upgrade failed to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements. WellPoint is an Indianapolis-based managed health care insurer that serves approximately 65.3 million individuals through its subsidiaries.
In March 2010, WellPoint was put on notice that a breach had occurred when a WellPoint applicant in California filed a lawsuit stating that she had access to the personal health information and data of other applicants. WellPoint submitted a breach report to the HHS Office for Civil Rights (OCR), as required under HIPAA and the Health Information Technology for Economic Clinical Health Act (HITECH Act) whenever a breach of personal health information has occurred. In a statement to the press, WellPoint spokeswoman Cindy Wakefield said, “[a]s soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again.”
The breach occurred because an Internet-based application database was not properly secured with the necessary administrative and technical safeguards, thus exposing the electronic protected health information of applicants. Per OCR guidelines, regardless of whether system upgrades are conducted by providers, payers, or business associates, organizations are expected to have reasonable and appropriate technical, administrative, and physical safeguards in place in order to protect the confidentiality, integrity, and availability of protected health information, especially when it is accessible over the internet.
After being notified of the breach and conducting an in-depth investigation, OCR determined that WellPoint had not been in compliance with certain HIPAA Security Rule requirements by failing to:
(1) Adequately implement policies and procedures for authorizing access to the on-line application database;
(2) Perform an appropriate technical evaluation following a software upgrade to its information systems that affected the database; and
(3) Maintain technical safeguards to verify the identity of persons or entities seeking access to electronic protected health information in the database.
In June 2010, WellPoint began sending out notifications to policyholders whose personal information had been stored in the system during the exposure period, offering identity protection services, such as credit monitoring and identify theft insurance, to the affected members. WellPoint determined that 612,402 individuals had been exposed. As of yet, no fraud or identity theft has been reported publicly as a result of the privacy breach.
In its press release announcing the settlement, HHS noted that this resolution “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.” HHS further warned that “[b]eginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.” This extension may increase the number of fines assessed by the agency. Since July 2008, HHS has collected almost $17 million in penalties for HIPAA rule violations through resolution agreements.
WellPoint’s $1.7 million dollar settlement is one of the larger penalties to be charged under HIPAA. In 2009, CVS Pharmacy agreed to a settlement of $2.25 million dollars after an investigation revealed that protected health information had not been properly disposed of at certain pharmacy locations. However, 2012 saw the most frequent levying of heavy fines for violations of the HIPAA Privacy and Security Rules. In 2012, the Alaska Department of Health and Human Services settled with HHS for $1.7 million dollars, the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates settled for $1.5 million dollars, and Blue Cross and Blue Shield of Tennessee agreed to pay $1.5 million dollars. Stringent enforcement of the HIPAA rules continues in 2013. Less than one month ago, Shasta Regional Medical Center entered into a $275,000 settlement and Idaho State University entered into a $400,000 settlement.
In addition to fines and corrective action plans, HHS began requiring public reporting of breaches in September 2009. To date, 627 incidents have been posted on OCR’s website. Each of these reported incidents involved the exposure of records of at least 500 individuals. Including the WellPoint Inc. breach, these combined incidents involve the possible disclosure of the protected health information of nearly 22.8 million individuals.
It remains to be seen if 2013 will surpass the record settlement numbers of 2012 with the impending HIPAA liability expansion.