Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Case Example Wellpoint

This page describes a Wellpoint, Inc. agreement to pay OCR $1.7M to settle potential violations of the HIPAA Privacy and Security Rules.

Final

Issued by: Office for Civil Rights (OCR)

Issue Date: July 05, 1905

WellPoint pays HHS $1.7 million for leaving information accessible over Internet

The managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule. The investigation indicated WellPoint did not: adequately implement policies and procedures for authorizing access to the on-line application database; perform an appropriate technical evaluation in response to a software upgrade to its information systems; or have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database. As a result, the investigation indicated that WellPoint impermissibly disclosed the ePHI of 612,402 individuals by allowing access to the ePHI of such individuals maintained in the application database.


HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.