Anthem, the victim of a recent massive cyberattack that exposed 80 million people's information, was fined $1.7 million in 2010 for a smaller data breach.
The HHS imposed the fine after a data breach compromised approximately 612,000 people's information, according to an HHS investigation from 2010. At the time, Anthem was known as WellPoint, a name that came from its merger with WellPoint Networks in 2004.
The HHS investigation found inadequate polices and procedures to protect electronic health information throughout 2009 and 2010 at WellPoint, violating HIPAA. The investigation did not disclose how the breach occurred.
"The personally identifiable information that HIPAA-covered health plans maintain on enrollees and members — including names and Social Security numbers — is protected under HIPAA, even if no specific diagnostic or treatment information is disclosed," Rachel Seeger, a senior HHS adviser, told USAToday.
The data exposed included names, dates of birth, addresses, Social Security numbers, phone numbers and health information. The chief information security officer was Roy Mellinger, who is now the CISO for Anthem.