WellPoint, Inc., an Indiana managed care organization, reported under the requirements of the HITECH Act Breach Notification Rule a breach of the electronic protected health information (“EPHI”) of 612,404 individuals whose names, dates of birth, addresses, Social Security numbers, phone numbers, and health information were “impermissibly disclosed,” according to the Department of Health and Human Services (“DHHS”) press release regarding the settlement. The DHHS Office for Civil Rights (“OCR”) investigation indicated that WellPoint had not implemented appropriate administrative and technical safeguards as required under the HIPAA Security Rule, specifically that WellPoint did not do the following:
- Adequately implement policies and procedures for authorizing access to the online application database.
- Perform an appropriate technical evaluation in response to a software upgrade to its information systems.
- Have technical safeguards in place to verify the person or entity seeking access to EPHI maintained in its application database.
The report indicated that security weaknesses in an online application database left the EPHI accessible to unauthorized individuals over the internet. According to DHHS, this case sends an important message to HIPAA covered entities—and to business associates after September 23, 2013—to take caution when implementing changes to their information systems, especially when those changes involve updates to web-based applications or portals that are used to provide access to consumers’ health data using the internet. DHHS adds that, whether systems upgrades are conducted by covered entities or their business associates, DHHS expects organizations to have in place reasonable and appropriate technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of EPHI, especially information that is accessible over the internet.
Simply updating a Risk Analysis based on changes in the online application database might have identified those security weaknesses, and implementing reasonable and appropriate security measures based on that updated Risk Analysis might have helped prevent the breach and the resulting $1.7 million settlement. Have circumstances in your organization changed? When was the last time that you updated your Risk Analysis? Or have you even performed a Risk Analysis? If you need help, contact us at patrick@veteranspress.com.