WellPoint informed DHS of the breach, which occurred from Oct. 23, 2009 to Mar. 7, 2010 and involved more than 612,000 policyholders, in compliance with the HITECH Act's Breach Notification Rule. An investigation found that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule, including:
- not implementing policies and procedures for authorizing access to an on-line application database
- failing to perform an appropriate technical evaluation in response to a software upgrade to its information systems
- putting technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
Data exposed included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.
"Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet," the agency said in a statement.
Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio