Health insurer WellPoint Inc agreed to pay a fine of $1.7 million for allowing health and other personal information from hundreds of thousands of people to be accessed over the Internet, the U.S. Department of Health and Human Services said on Thursday.
Security weaknesses in a WellPoint online application database exposed information for 612,402 individuals between October 2009 and March 2010, according to the agency.
Data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.
WellPoint, the second largest U.S. health insurer, agreed to the fine to settle potential violations of healthcare privacy laws.
Since privacy laws prohibiting such potential disclosures by insurers or providers were enacted in 2009, HHS has received 627 reports of breaches involving 500 or more individuals, according to HHS spokeswoman Rachel Seeger. The first case to be settled involved a $1.5 million fine paid by Blue Cross/Blue Shield of Tennessee in March 2012, she said.
WellPoint said it informed those who were potentially impacted and has cooperated with the review.
“As soon as the situation was discovered in 2010, we made information security changes to prevent it from happening again,” the company said in an emailed statement.
WellPoint said it also provided credit monitoring and identity theft insurance to all those affected, and that it is not aware of any fraud or identity theft arising from the incident.