Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

HIPAA Breach Alert: WellPoint fined $1.7M

In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.

1 min read
wellpoint hipaa breach alert|wellpoint hipaa breach settlement

In what is believed to be one of the larger HIPAA breach settlements in recent memory, health insurer WellPoint has agreed to settle with HHS for $1.7M stemming from a 2009 and 2010 incident where WellPoint impermissibly disclosed the ePHI of over 600,000 individuals through an unsecured online application. During its investigation, OCR found that WellPoint had not enacted the appropriate administrative, technical, and physical safeguards mandated under HIPAA.

WellPoint discovered the security and privacy lapses when an applicant to the insurer notified the company that she could access PHI of other policyholders through the WellPoint website application. This event further exemplifies to providers that actual acquisition of PHI by unauthorized individuals is not needed to trigger HIPAA violations. Rather, merely the discovery of unsecured data in any form can be enough to trigger an OCR investigation and lawsuit.

wellpoint hipaa breach settlement

Frequently Asked Questions

Find answers to common questions about this topic.

WellPoint failed to implement adequate administrative, technical, and physical safeguards required under HIPAA. These include proper access controls, encryption protocols, employee training, and security risk assessments that could have prevented unauthorized access to their online application.

The WellPoint case took several years to resolve, with breaches occurring in 2009-2010 and settlement announced much later. OCR investigations can range from months to several years depending on the complexity, scope of the breach, and cooperation from the covered entity.

HIPAA violation penalties range from $100 to $50,000+ per record, with annual maximums reaching $1.5 million per violation category. The $1.7M WellPoint settlement demonstrates that large-scale ePHI exposures involving hundreds of thousands of records result in substantial financial penalties.

Yes, healthcare organizations must report breaches when ePHI is impermissibly disclosed or accessible, regardless of whether unauthorized individuals actually acquired the data. The WellPoint case confirms that potential access to unsecured data alone triggers HIPAA breach notification requirements.

Organizations should immediately secure the vulnerability, document the incident, conduct a risk assessment, and notify OCR within 60 days if it affects 500+ individuals. They must also implement corrective action plans and may need to provide credit monitoring services to affected individuals.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

true cost of hipaa data breach|cost of a hipaa data breach
Best Practices

The True Cost of a HIPAA Data Breach

Another week, another HIPAA data breach. On September 10th, healthcare behemoth Kaiser Permanente sent out a letter to 670 patients, notifying them that their PHI had been impermissibly emailed out of network. But in light of all these recent data breaches and security failures, one might ask, “who cares?” If fixing the issue is as simple as writing an apology letter like Kaiser did, why go through all the hoops of encryption and access control and HIPAA compliance? After all, HHS still has the ultimate discretion of whether to assess penalties, right?

Krishna KurapatiKrishna Kurapati
3 min read
hipaa data breaches|securing your healthcare organization from HIPAA data breaches
Best Practices

HIPAA Data Breaches: Bad Technology or Bad Training?

As regular readers of the qliqSOFT blog are now aware, the HIPAA Omnibus changes have been in effect for just over two weeks. In the wake of the September 23 compliance deadline, HIPAA compliance should be on the minds of most covered entities even more than usual, and rightfully so – HIPAA data breaches not only sacrifice the trust you’ve established with your patients, but also they’re extraordinarily expensive.

Krishna KurapatiKrishna Kurapati
3 min read
1m left