System Upgrade? On July 11, 2013, the Department of Health and Human Services Office of Civil Rights (OCR) announced that it had reached a $1.7 million settlement with managed-care company Wellpoint, Inc., to resolve “potential” violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The settlement arises out of a computer system upgrade that left the electronic protected health information (e-PHI) of over half a million people accessible to unauthorized individuals. OCR investigated the breach of unsecured e-PHI after Wellpoint notified the government of the incident. OCR found that for 4 ½ months in 2009 and 2010 Wellpoint did not adequately implement technology to verify the identity of persons seeking access to e-PHI maintained in its web-based application database. As a result, Wellpoint impermissibly disclosed the e-PHI, including names, dates of birth, Social Security numbers, and health information, of approximately 612,000 individuals whose e-PHI was maintained in the database. OCR also faulted Wellpoint for failing to adequately implement policies and procedures for authorizing access to e-PHI maintained in its web-based database and for not performing an appropriate technical evaluation in response to the systems upgrade to verify the authentication protections in the upgrade. The Resolution Agreement does not require Wellpoint to enter a corrective action plan. As OCR says in its press release, this case “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when the changes involve Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.” Business associates and their subcontractors also need to pay attention because, effective September 23, 2013, this warning will also apply to them. Update on Faircloth v. Adventist Health System/Sunbelt , Inc. As previously reported on this blog, a former patient in Florida filed a class action suit against a hospital arising out of an alleged wrongful disclosure of patient information. On July 3, 2013, the judge in Faircloth v. Adventist Health System/Sunbelt, Inc. dismissed the case, finding that Mr. Faircloth’s claims were non-starters in federal court. Faircloth filed his class action lawsuit in federal court alleging that the hospital failed to protect his and other patients’ sensitive health information, and thereby violated the hospital’s own privacy policies and HIPAA. However, Faircloth alleged state law claims such as breach of contract, breach of implied contract, unjust enrichment, and breach of fiduciary duty. The court held that although Faircloth alleged that the hospital violated HIPAA, his case was really based on state law claims and, therefore, there was no basis to be in federal court. While HIPAA might be the standard of care a health care provider must meet to protect the privacy of patient information, in this case, that standard was merely an element of Faircloth’s state law claims. The judge also repeated what many other courts have said: HIPAA does not create a private cause of action. The court did not address whether there was a sufficient basis for a class action suit. Also, the court’s ruling does not prevent Faircloth from trying to re-file in state court. Stay tuned because privacy and security breaches like the one experienced by Wellpoint are sure to create litigation opportunities like the Faircloth case, even where the individual does not suffer any quantifiable damages. Providers and insurers should be alert to the possibility of future civil litigation when they experience a HIPAA breach.