Late Thursday in a news release, The Health and Human Services Department said Insurer WellPoint will pay a $1.7 million fine to settle potential HIPAA violations that it left the names, Social Security numbers and other personal health information of more than 600,000 individuals accessible over the Internet.
The unconstitutional disclosure took place on from October 2009 to March 2010.
Potential violations of the Health Insurance Portability and Accountability Act (HIPAA) were due to WellPoint not establishing appropriate administrative and technical safeguards in its online application database said by HHS’ Office for Civil Rights (OCR), which oversees health information privacy.
OCR began scrutinizing the incident following a breach report submitted by WellPoint as required by federal breach notification rules. WellPoint said in an emailed statement to Healthcare Payer News that it has collaborated with OCR throughout the investigation.
“Immediately the situation was discovered in 2010, we made information security changes to thwart it from happening again,” said WellPoint spokeswoman Cindy Wakefield in the statement.
The company alleged it has alerted those individuals who could be affected as required by state and federal law and provided credit monitoring and identity theft insurance, although no fraud or identity theft has apparently occurred as a result of the incident.
“This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, particularly when those changes involve updates to Web-based submissions or portals that are used to provide access to consumers’ health data using the Internet,” OCR said in the release.
Organizations are expected to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information – especially information that is accessible over the Internet, whether systems upgrades are conducted by providers or payers or their business associates.