WellPoint slapped with $1.7M fine for HIPAA violations

HIPAA violations will cost insurer WellPoint $1.7 million in fines to the federal government. The organization was charged with HIPAA violations after it left the names, Social Security numbers and personal health information of more than 600,000 individuals accessible over the internet, according to a release from the Department of Health and Human Services (HHS).

The unauthorized data exposure took place from October 2009 to March 2010.

HHS’ Office for Civil Rights (OCR) said the potential HIPAA violations were due to WellPoint not establishing appropriate administrative and technical safeguards in its online application database.

OCR began investigating the incident following a breach report submitted by WellPoint as required by federal breach notification rules.

The company said it has notified those individuals who could be affected as required by state and federal law and provided credit monitoring and identity theft insurance, although no fraud or identity theft has apparently occurred as a result of the incident.

“This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet,” OCR officials said in the release.

OCR noted in the release that providers and payers and their business associates are expected to have “reasonable and appropriate” system safeguards in place and that beginning Sept. 23, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.