14 DAY TRIAL // WellPoint Inc., the managed care company that exposed the electronic protected health information (ePHI) of 612,402 individuals in 2010, has agreed to pay the US Department of Health and Human Services (HHS) a total of $1.7 million (€1.3 million) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The HHS Office for Civil Rights (OCR) started its investigation into WellPoint after the company filed a report indicating that security holes in its online application database made the details of a large number of individuals accessible over the Internet.
The OCR found that WellPoint did not implement policies and procedures for authorizing access to its online application database. In addition, the company did not evaluate the impact of a software update to its information systems.
WellPoint also failed to deploy technical security measures that would verify the entity seeking access to its database.
“This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet,” the HHS wrote in a press statement.