« Business Continuity, Disaster Recovery

Health insurance company fined $1.7 million for not protecting patient information

Health insurer WellPoint agreed to the HHS' $1.7 million fine for violating HIPAA policies.
Health insurer WellPoint agreed to the HHS' $1.7 million fine for violating HIPAA policies.

The healthcare industry is in the midst of implementing technological changes that gives doctors access to patient information online through electronic health records (EHRs). There are still some critics who fear that medical facilities are putting their patients at risk from potential data breaches.

This is why the federal government enacted the Health Portability and Accountability Act of 1996 (HIPAA). Any party that fails to safeguard confidential information, including hospitals, vendors and third-party contractors, faces heavy fines. If an organization believes it was a victim of a data breach, it must report the issue to the U.S. Department of Health and Human Services (HHS).

Data breach costs health insurer WellPoint $1.7 million 

The Indianapolis-based health insurer is the second-largest provider in the United States, according to Reuters. Including its subsidiaries, WellPoint has over 100 million customers.

Over 600,000 patients were notified that their information was poorly protected on WellPoint's web-based application, according to a news release from HHS. Individuals who were a part of WellPoint's ePHI network between October 2009 and May 2010 had their name, date of birth, address, Social Security number and health information exposed to the Internet.

HHS' report confirmed that WellPoint failed to "adequately implement policies and procedures for authorizing access to the on-line application database," making it possible for many parties to access patient information.

While WellPoint agreed to pay the hefty $1.7 million fine, EHR vendors and users should have the proper software in place that allows patients safe access their information online. Since the company was aware of the issues with their web interfaces, officials told Reuters that they "made information security changes to prevent it from happening again."

Businesses that need assistance regularly updating their disaster recovery plans to recovery quickly from data breaches can reach out to business continuity consultants that specialize in this area.