[ Wednesday, July 06, 2011 ]


Indiana Wellpoint Data Breach Fine: Wellpoint's Indiana operations (which run Anthem BCBS in Indiana) has agreed to a $100,000 fine, plus agreed to provide credit watch services and reimbursement for ID theft problems, for violating an Indiana law that requires companies that suffer a data breach to promptly notify affected individuals and the state AG. The company had inadvertently exposed member data, including social security numbers, on a publicly available website; when it was brought to their attention they shut down the website pronto, but didn't notify potentially affected individuals for several months. This is not a HIPAA fine, but one that covered entities (and others) should be aware of: most states have some sort of data breach notification statute, and if you suffer a breach, you must review not only your HIPAA obligations, but your state law obligations as well.

Jeff [8:55 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template