HIPAA Breach Alert: WellPoint fined $1.7M
In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.
WellPoint discovered the security and privacy lapses when an applicant to the insurer notified the company that she could access PHI of other policyholders through the WellPoint website application. This event further exemplifies to providers that actual acquisition of PHI by unauthorized individuals is not needed to trigger HIPAA violations. Rather, merely the discovery of unsecured data in any form can be enough to trigger an OCR investigation and lawsuit.