The U.S. Department of Health and Human Services has penalized WellPoint $1.7 million for potentially violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.
WellPoint notified HHS of a potential breach of unsecured protected health information. HHS then investigated, determining security weaknesses in an online application database left 612,402 individuals' electronic health information accessible to unauthorized use, HHS announced Thursday.
In particular, HHS said WellPoint failed to:
- adequately implement policies and procedures for authorizing access to the database,
- perform an appropriate technical evaluation after its information systems underwent a software upgrade and
- put in place technical safeguards that verify everyone seeking access to the data.
"HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information--especially information that is accessible over the Internet," the agency said in a statement.
It added that the case is an "important message" to insurers and other organizations to "take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers' health data using the Internet."
WellPoint said it has taken steps to remedy the breach. "As soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again," the company told Reuters. It also provided credit monitoring and identity theft insurance to the affected individuals, but it doesn't know of any fraud or identity theft arising from the breach.