Insurer WellPoint will pay a $1.7 million fine to settle potential HIPAA violations that it left the names, Social Security numbers and other personal health information of more than 600,000 individuals accessible over the Internet, the Health and Human Services Department said late Thursday in a news release.
The unauthorized data exposure took place from October 2009 to March 2010.
HHS' Office for Civil Rights (OCR), which oversees health information privacy, said the potential violations of the Heath Insurance Portability and Accountability Act (HIPAA) were due to WellPoint not establishing appropriate administrative and technical safeguards in its online application database.
OCR began investigating the incident following a breach report submitted by WellPoint as required by federal breach notification rules. WellPoint said in an emailed statement to Healthcare Payer News that it has cooperated with OCR throughout the investigation.
"As soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again," said WellPoint spokeswoman Cindy Wakefield in the statement.
The company said it has notified those individuals who could be affected as required by state and federal law and provided credit monitoring and identity theft insurance, although no fraud or identity theft has apparently occurred as a result of the incident.
"This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers' health data using the Internet," OCR said in the release.
Whether systems upgrades are conducted by providers or payers or their business associates, organizations are expected to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet.
Beginning Sept. 23, liability for many of HIPAA's requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors, OCR noted.