Security vulnerability in online application database leads to breach settlement
AHA News Now
Jul 12, 2013
WellPoint Inc. has agreed to pay $1.7 million to settle potential HIPAA violations resulting from security weaknesses in an online application database, the Department of Health and Human Services’ Office for Civil Rights announced yesterday. The weaknesses left the electronic protected health information of 612,402 people accessible to unauthorized individuals over the Internet. “This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet,” HHS said. HHS said an investigation by its Office of Civil Rights indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA security rule. It said the managed care company did not adequately implement policies and procedures for authorizing access to the on-line application database; perform an appropriate technical evaluation in response to a software upgrade to its information systems; or have technical safeguards.