Wellpoint is among the leading providers of Affiliated Health Policies, with nearly 36 million policy holders throughout the United States. Fraction of its databank of policy holders was accessible to illegal persons between October 23, 2009, and March 7, 2010.
The safety infringement was brought to the notice of Wellpoint in March 2010 when a litigation was recorded in California by a claimant who found it was likely to access the electrical Protected Health Information of Wellpoint policy holders. Wellpoint undertook swift action to hamper access and started an inquiry into the data security infringement.
It concluded that the private health data was accessible to illegal 3rd parties though it was restricted to 31,700 people. Names, contact details and addresses were accessible together with social security numbers and health information.
HIPAA requires that breach notices are transmitted to all those affected by a security infringement to facilitate them to take action to lessen any damage produced. The business complied with these rules and sent notices notifying all those affected by the security infringement. It also provided credit checking services to all those affected to assist lessen any damage produced.
As required by the Health Information Technology for Economic as well as Clinical Health Act, Wellpoint delivered a breach notice informing the Office of Civil rights of the security infringement. The security violation was issued on the OCR’s website (as needed by American Recovery as well as Reinvestment Act of 2009) and the OCR carried out an inquiry.
Under HIPAA rules, “appropriate technical, administrative and physical safeguards” should be put in place to make sure that access to ePHI is limited to approved people only. The OCR concluded that the security infringement was caused as a consequence of a failure to apply these precautions. In a new announcement, the OCR verified that an agreement has been achieved with Wellpoint for $1.7 million for the HIPAA breaches.
The OCR also declared that during the course of the inquiry it carried out a forensic examination of the data infringement and concluded that the private health info of 612,404 people was revealed in the infringement, and not 31,700 as stated by Wellpoint. The OCR website is still displaying the data infringement as having affected 31,700 people on its “wall of shame”, the number detailed in the original statement.
With this 600K infringement, the total number of people affected by HIPAA infringements is roughly 22.8 million.