On July 11, 2013, HHS announced that WellPoint Inc., the second largest U.S. health insurer,

had agreed to pay a $1.7 million fine because its online application database allowed access to the protected health information of 612,402 individuals during a period from October 2009 until March 2010. This data included names, dates of birth, addresses, Social Security numbers, telephone numbers and health information.

The HHS Office of Civil Rights found that WellPoint violated HIPAA privacy and security laws because it did not:

  • Adequately implement policies and procedures for authorizing access to the online application database;
  • Perform an appropriate technical evaluation in response to a software upgrade to its information systems; or
  • Have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
HHS reiterated that HIPAA covered entities should "take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers' health data using the Internet."