WellPoint hit with $1.7 million for Security Weaknesses in Online Application

by | Jul 12, 2013 | Data Breach Laws, Government Enforcement

WellPoint hit with .7 million for Security Weaknesses in Online Application

The increasingly heavy-handed OCR announced news yesterday of yet another resolution agreement for HIPAA violations; this time hitting WellPoint Inc., a managed care company, with $1.7 million for an Internet breach that occurred between 2009 and 2010 affecting over 600,000.  HHS stated in the press release,

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

Data (including names, birth dates, social security numbers and health information) was unsecured in a web-based application database after an upgrade.  The resolution agreement alleges that the Data was disclosed improperly over a five month period.  HHS indicated that,

  • WellPoint failed to implement policies for authorizing access to ePHI;
  • WellPoint failed to perform an “adequate” technical evaluate after a software upgrade affected authentication controls; and
  • WellPoint failed to implement technology to verify (authenticate) access to ePHI by authorized individuals.

Covered Entities affiliated with WellPoint include certain Anthem, Blue Cross and Blue Shield, and UNICARE health plans, among others.  There was no Corrective Action Plan accompanying the resolution agreement, which seems to indicate OCR was happy with the mitigative action taken by WellPoint after the fact. However, the Indiana attorney general’s office had filed suit against WellPoint back in 2010 for failing to provide notification as required under state breach laws, and the Connecticut attorney general’s office opened an investigation as well. 

For entities planning software and other upgrades and modifications (all you “Meaningful Users”, to start), you can retrieve a copy of the news release and resolution agreement to give to and hammer home with your Security Officer and IT Departments here

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives