Insurer WellPoint will pay a $1.7 million fine to the federal government to settle potential HIPAA violations that it left the names, Social Security numbers and personal health information of more than 600,000 individuals accessible over the Internet, the Health and Human Services Department said late Thursday in a news release.

The unauthorized data exposure took place from October 2009 to March 2010.

HHS’ Office for Civil Rights, which oversees health information privacy, said the potential violations of the Heath Insurance Portability and Accountability Act were due to WellPoint not establishing appropriate administrative and technical safeguards in its online application database.

OCR began investigating the incident following a breach report submitted by WellPoint as required by federal breach notification rules. WellPoint said in an emailed statement to Healthcare Finance News’ sister publication, Healthcare Payer News, that it has cooperated with OCR throughout the investigation.

“As soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again,” said WellPoint spokeswoman Cindy Wakefield in the statement.

The company said it has notified those individuals who could be affected as required by state and federal law and provided credit monitoring and identity theft insurance, although no fraud or identity theft has apparently occurred as a result of the incident.

“This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet,” said OCR officials in the release.

OCR noted in the release that providers and payers and their business associates are expected to have “reasonable and appropriate” system safeguards in place and that beginning Sept. 23, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.
 

[See also: OCR calls for feedback on HIPAA audits]