Wel­lpoint takes a hit

Mas­sive med­i­cal record breach case to cost in­surer $1.7 mil­lion

Modern Healthcare - - LATE NEWS - Joseph Conn and Rachel Lan­den

Wel­lPoint is set to crash two Top 10 lists—the num­ber of mem­bers’ records ex­posed in a se­cu­rity breach, and the size of the fed­eral set­tle­ment amount paid as a re­sult. Wel­lPoint, which claims 36 mil­lion cov­ered lives through its af­fil­i­ated health plans, has agreed to pay a $1.7 mil­lion penalty to HHS for po­ten­tial vi­o­la­tions of the pri­vacy and se­cu­rity rules un­der the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act of 1996, stem­ming from a 2010 in­ci­dent.

Dur­ing an in­ves­ti­ga­tion of Wel­lPoint’s in­for­ma­tion sys­tems, HHS’ Of­fice for Civil Rights found that the In­di­anapo­lis-based in­surer had not en­acted ap­pro­pri­ate ad­min­is­tra­tive, tech­ni­cal and phys­i­cal safe­guards for data as re­quired by HIPAA.

Wel­lPoint’s case will be­come one of the largest med­i­cal records breaches kept by OCR, once that agency, which ne­go­ti­ated the set­tle­ment agree­ment, up­dates its pub­lic “wall of shame” breach list to re­flect the mag­ni­tude of the breach that oc­curred some­time be­tween Oct. 23, 2009 and March 7, 2010.

In its ini­tial re­port to OCR, Wel­lPoint de­ter­mined 31,700 per­sons were af­fected by the breach, ac­cord­ing to OCR spokes­woman Rachel Seeger. Sub­se­quent foren­sic anal­y­sis of the Wel­lPoint breach de­ter­mined that 612,404 in­di­vid­u­als were af­fected, Seeger said, and that’s the num­ber re­ported by the OCR in its set­tle­ment agree­ment an­nounce­ment.

Thus far, there have been 627 in­ci­dents posted on the OCR’s web­site since pub­lic re­port­ing was re­quired, be­gin­ning in Septem­ber 2009. Th­ese pub­licly re­ported in­ci­dents each in­volved the ex­po­sure of records of 500 or more in­di­vid­u­als. Com­bined, they ex­posed the records of nearly 22.8 mil­lion peo­ple.

In ad­di­tion to those on the pub­lic list, the civil rights of­fice has re­ceived more than 81,000 re­ports of breaches in­volv­ing fewer than 500 in­di­vid­u­als’ records that are not in­di­vid­u­ally re­ported to the pub­lic. Com­bined, th­ese lesser breaches have af­fected more than 915,000 in­di­vid­u­als, ac­cord­ing to Seeger.

Three of the five largest breaches were pub­lic or pri­vate health­care plans or cov­er­age providers. The big­gest case in­volved TRI­CARE Man­age­ment Ac­tiv­ity, the mil­i­tary health plan ad­min­is­tra­tor, with 4.9 mil-

“From the time of the breach re­port through the in­ves­ti­ga­tion, there was a thor­ough study of the in­ci­dent, and this is a ne­go­ti­ated set­tle­ment, which also takes time.”

—Rachel Seeger HHS’ Of­fice For Civil Rights

lion records lost on backup tape reels that were stolen from the car of an em­ployee of a busi­ness as­so­ciate, SAIC, in Sept. 2011.

The Wel­lPoint in­ci­dent ranks tenth in size. It ex­posed the names, dates of birth, ad­dresses, So­cial Se­cu­rity num­bers, tele­phone num­bers and health in­for­ma­tion to unau­tho­rized users as the re­sult of on­line se­cu­rity weak­nesses, HHS said Thurs­day.

The in­ves­ti­ga­tion of the Wel­lPoint in­ci­dent by OCR was prompted when the in­surer sub­mit­ted a breach re­port in 2010 to HHS, a re­quire­ment un­der the Health In­for­ma­tion Tech­nol­ogy for Eco­nomic and Clin­i­cal Health Act when­ever a vi­o­la­tion of health in­for­ma­tion oc­curs.

“From the time of the breach re­port through the in­ves­ti­ga­tion, there was a thor­ough study of the in­ci­dent, and this is a ne­go­ti­ated set­tle­ment, which also takes time,” Seeger said in an in­ter­view.

Wel­lPoint's set­tle­ment is also one of the larger penal­ties to be levied un­der the HIPAA rules, though not the largest to date. In 2009, CVS Phar­macy agreed to pay $ 2.25 mil­lion af­ter an in­ves­ti­ga­tion re­vealed that the phar­macy chain had not prop­erly dis­posed of pro­tected health in­for­ma­tion. In 2012, the Alaska Depart­ment of Health and Hu­man Ser­vices set­tled for $1.7 mil­lion, the Mas­sachusetts Eye and Ear In­fir­mary and Mas­sachusetts Eye and Ear As­so­ciates for $1.5 mil­lion, and Blue Cross and Blue Shield of Ten­nessee for $1.5 mil­lion. All those were for vi­o­la­tions of the pri­vacy and se­cu­rity rules.

Wel­lPoint was first alerted to the breach in March 2010 when a Wel­lPoint ap­pli­cant in Cal­i­for­nia filed a law­suit in the state, no­ti­fy­ing the com­pany that she could ac­cess per­sonal health data of other cus­tomers. By June of that year, Wel­lPoint had be­gun send­ing no­ti­fi­ca­tions to pol­i­cy­hold­ers whose in­for­ma­tion had been stored in the sys­tem dur­ing the time of the breach, and of­fered iden­tity pro­tec­tion ser­vices to those af­fected.

Since July 2008, un­der the HIPAA rules, HHS has col­lected a to­tal of nearly $17 mil­lion in penal­ties through res­o­lu­tion agree­ments, which also re­quire cer­tain cor­rec­tive plans of the of­fend­ing en­ti­ties. <<

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.