WellPoint, a managed health care giant, agreed to pay $1.7 million to the U.S. Department of Health and Human Services for violating HIPAA regulations.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a set of rules to maintain patient privacy. HIPAA makes health care one of the most regulated industries along with financial services.
These fines may also pick up given that HIPAA liability will extend to business partners that receive and store health information. HIPAA will extend to contractors and subcontractors on Sept. 23.
According to the HHS, WellPoint left patient health data accessible to unauthorized users over the Internet. The HHS began its WellPoint investigation following a data breach report. Specifically, the HHS found that WellPoint had weak security practices in an online application database and data such as names, dates of birth, addresses, Social Security numbers and health records of 612,000 individuals were exposed.
In a statement, the HHS trumpeted the fine and said that companies under HIPAA regulations need to be more careful about change management when updating Web-based applications.
Overall, WellPoint failed to implement strong security policies and procedures from Oct. 23, 2009 to March 7, 2010 and didn't evaluate the impact of a software upgrade on its systems. WellPoint also failed to have identity management safeguards in place to protect electronic health records.