WellPoint has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the HIPAA Privacy and Security Rules (h/t Softpedia).

From October 23, 2009 to March 7, 2010, weaknesses in an online application database left 612,402 people's names, birthdates, addresses, phone numbers, Social Security numbers and health information exposed online.

An investigation by the HHS Office for Civil Rights determined that WellPoint had failed to "adequately implement policies and procedures for authorizing access to the online application database," to "perform an appropriate technical evaluation in response to a software upgrade to its information systems," and to "have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database."

"Whether systems upgrades are conducted by covered entities or their business associates, HHS expects organizations to have in place reasonable and appropriate technical, administrative and physical safeguards to protect the confidentiality, integrity and availability of electronic protected health information -- especially information that is accessible over the Internet," HHS said in a statement.