WellPoint Pays HHS $1.7 Million for Data Breach

WellPoint has agreed to play the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of HIPAA data security rules.

WellPoint informed DHS of the breach, which occurred from Oct. 23, 2009 to Mar. 7, 2010 and involved more than 612,000 policyholders, in compliance with the HITECH Act's Breach Notification Rule. An investigation found that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule, including:

• not implementing policies and procedures for authorizing access to an on-line application database

• failing to perform an appropriate technical evaluation in response to a software upgrade to its information systems

• putting technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.

[Inside WellPoint's telehealth initiative]

Data exposed included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

"Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet," the agency said in a statement.

[Computer glitch spares smokers higher insurance premiums]

Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio