BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Insurance company WellPoint fined 1.7 million over data exposure

From: Erica Absetz <erica () riskbasedsecurity com>
Date: Fri, 12 Jul 2013 11:05:29 -0500
https://www.infoworld.com/t/data-security/insurance-company-wellpoint-fined-17-million-over-data-exposure-222569

Insurance provider WellPoint has agreed to pay a $1.7 million fine for
exposing more than 600,000 personal records online due to weak
database security, the U.S. Department of Health & Human Services
(HHS) said Thursday.

WellPoint, based in Indianapolis, is one the largest health insurers
in the United States, with more than 100 million customers covered by
it and its subsidiaries.

[ Prevent corporate data leaks with Roger Grimes' "Data Loss
Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up
to date on the latest security developments with InfoWorld's Security
Central newsletter. ]

In 2009, WellPoint reported to the federal agency that an online
database holding personal and health information for 612,402
individuals was left accessible over the Internet between October 2009
and March 2010. The data included names, addresses, birth dates,
Social Security numbers, phone numbers, and health information.

The Health Information Technology for Economic and Clinical Health Act
requires that organizations which fall under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) Privacy and
Security Rules must report health-related data breaches, according to
HHS.

An HHS investigation found that WellPoint did not have adequate
policies and procedures for access to the online application database.
WellPoint did not have "technical safeguards" in place to verify
people seeking access to the health information held in the system,
HHS said.

The case should remind HIPPA entities to take care in managing
information systems, particularly when changing Web-based applications
or portals, HHS said in a news release.

HHS advised that starting Sept. 23, the liability for many HIPPA
requirements will extend to contractors and subcontractors.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.
Previous By Date Next
Previous By Thread Next

Current thread: