The U.S. Department of Health and Human Services said Thursday that health insurer WellPoint Inc. will pay $1.7 million to resolve allegations it left the information of more than 612,000 members available online because of inadequate safeguards.
The agency said that between Oct. 23, 2009 and March 7, 2010, security weaknesses in an online application database left the information of 612,402 people accessible to unauthorized users. That information included names, birthdates, addresses, telephone numbers, Social Security numbers, and health data.
The Health and Human Services Department said WellPoint didn't have adequate policies for authorizing access to the database, didn't perform a needed technical evaluation after a software upgrade, and did not have technical safeguards to verify that the people or entities seeking access were authorized to view the information in the database.
WellPoint, which is based in Indianapolis, reported the breach to the Health and Human Services Department. The agency then started an investigation, saying WellPoint's actions may have violated the Health Insurance Portability and Accountability Act, or HIPAA.
Shares of WellPoint rose 66 cents, to $85.41, on Thursday, reaching a five-year high of $85.60 as the markets climbed to record levels.