Home > Legal Library > Article

Join Matindale-Hubbell Connected

Wellpoint Pays $1.7 Million for HIPAA Breach

Eric D. Fader
Leslie J. Levinson
Edwards Wildman Palmer LLP - New York Office

July 18, 2013

Previously published on July 2013

On July 11, the U.S. Department of Health and Human Services announced that health insurer Wellpoint Inc. has agreed to pay the sum of $1.7 million to settle claims that it violated the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). An improperly secured online database caused the electronic protected health information (ePHI) of 612,402 Wellpoint customers to be potentially vulnerable to unauthorized access, although the company said that it did not believe that any fraud or identity theft had occurred due to the breach.

WellPoint had self-reported the breach to HHS in 2010. In its investigation, HHS determined that Wellpoint had failed to:

  • adequately implement policies and procedures to authorize access to the online database,

  • perform an appropriate technical evaluation in response to a software upgrade to its information systems, or

  • have technical safeguards in place to verify the person or entity seeking access to the ePHI maintained in the database.

In its statement, HHS said, “This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”

WellPoint's settlement is the latest in a series of recent similar payments arising out of data breaches by covered entities under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act, which made HIPAA’s requirements directly applicable to “business associates” of covered entities.


The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.

View More Library Documents By...

Edwards Wildman Palmer LLP Overview