WellPoint has agreed to pay the government $1.7 million to settle potential violations of HIPAA, the U.S. Department of Health and Human Services said Thursday.
An HHS investigation found that the health insurance giant “impermissibly disclosed” electronic protected health information of 612,402 individuals between Oct. 23, 2009 and March 7, 2010. That information included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.
The health agency said that WellPoint may have violated HIPAA — the Health Insurance Portability and Accountability Act of 1996 — after the Indianapolis-based insurer reported the breach to HHS.
HHS said the case “sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.”
Beginning Sept. 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store protected health information, such as contractors and subcontractors.