Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search
Advisories
Healthcare

In $1.7M WellPoint Settlement, HHS Warns Covered Entities on Change Management

By  Adam H. Greene
07.12.13
Share
Print this page

On July 8, 2013, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) entered into a $1.7 million resolution agreement with WellPoint over a 2009-2010 security breach. In the resolution agreement and press release, HHS warned “[t]his case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems.” This is HHS’s third financial settlement in three months after a five-month lull coinciding with the release of the HIPAA Omnibus Rule at the beginning of 2013.

The WellPoint incident was initially reported to HHS as a breach report in June 2010. From Oct. 23, 2009, to March 7, 2010, WellPoint impermissibly disclosed the electronic protected health information, including the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information of approximately 612,000 individuals whose information was maintained in a web-based application database. Of note, the HIPAA Omnibus Rule’s definition of “disclosure” includes the “provision of access to” information. HHS likely took the position that a disclosure occurred through the provision of access to the information, as opposed to focusing on whether a third party actually obtained the information.

The resolution amount and the lack of a corrective action plan make this settlement significant. The $1.7 million resolution amount is more than quadruple the $400,000 settlement with Idaho State University for a similar matter in which ISU’s firewalls were down for a number of months. This is consistent with OCR’s history of seeking larger settlement amounts for larger organizations and larger breaches. Also, this is the first settlement without a corrective action plan.

This is not the first settlement that WellPoint has reached on this matter. The managed care company also settled with the Indiana attorney general for $100,000 in July 2011 for the same incident, although that settlement focused on an alleged delay in notification.

Covered entities and their business associates carefully should consider how to build information security into change management processes. Of particular concern are updates to web-based application or portals and information accessible over the Internet. Whether moving a facility or upgrading software, organizations should consider what systems are in place to avoid having changes lead to unmitigated risks to protected health information.

For more information, contact Adam Greene, Becky Williams or the DWT attorney with whom you normally work.

Related Articles

DWT logo
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employees
DWT Collaborate
EEO
Affiliations
Legal notices
Privacy policy
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.