[ Wednesday, July 06, 2011 ]
Indiana Wellpoint Data Breach Fine:
Wellpoint's Indiana operations (which run Anthem BCBS in Indiana) has agreed to a $100,000 fine,
plus agreed to provide credit watch services and reimbursement for ID theft problems, for violating an Indiana law that requires companies that suffer a data breach to promptly notify affected individuals and the state AG. The company had inadvertently exposed member data, including social security numbers, on a publicly available website; when it was brought to their attention they shut down the website pronto, but didn't notify potentially affected individuals for several months. This is not a HIPAA fine, but one that covered entities (and others) should be aware of: most states have some sort of data breach notification statute, and if you suffer a breach, you must review not only your HIPAA obligations, but your state law obligations as well.
Jeff [8:55 AM]
Blogger: HIPAA Blog - Edit your Template