Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HHS.gov
  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom

Breadcrumb

  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. HIPAA Compliance and Enforcement
  5. Case Examples
  6. WellPoint pays HHS 1.7 million for leaving information accessible
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Mental Health & Substance Use Disorders
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
    • Statute & Rule
      • PSQIA Statute
      • Patient Safety Rule
    • Enforcement
    • Guidance
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

WellPoint pays HHS $1.7 million for leaving information accessible over Internet

The managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule. The investigation indicated WellPoint did not: adequately implement policies and procedures for authorizing access to the on-line application database; perform an appropriate technical evaluation in response to a software upgrade to its information systems; or have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database. As a result, the investigation indicated that WellPoint impermissibly disclosed the ePHI of 612,402 individuals by allowing access to the ePHI of such individuals maintained in the application database.

  • Read the Resolution Agreement
  • For Information on OCR’s Enforcement Activities
  • Read the HHS Press Release
  • To File a Health Information Privacy or Security Complaint



 

Content created by Office for Civil Rights (OCR)
Content last reviewed June 7, 2017
Back to top
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • HHS Archive
  • Accessibility
  • Privacy Policy
  • Viewers & Players
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov

Sign Up for Email Updates

Receive the latest updates from the Secretary, Blogs, and News Releases.

Sign Up
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​