|Source:||Indianapolis Star (IN)|
June 30–A security glitch at a WellPoint website may have publicly exposed the medical records and credit-card numbers of roughly 470,000 customers, including about 23,000 in Indiana.
The lapse, which lasted from October through March, potentially affects a small slice of WellPoint’s 2.8 million members of Anthem Blue Cross and Blue Shield in Indiana — those who had applied for individual policies with the Indianapolis-based health insurance giant.
It is the largest of three security breaches reported by WellPoint in the past 3 1/2 years. The company has attributed all three to outside vendors.
WellPoint’s recent incident pales by comparison to some other companies’ security troubles. In 2007, TJ Maxx reported that 100 million customer accounts were potentially exposed.
Still, Paul Stephens of the Privacy Rights Clearinghouse labeled the WellPoint breach “very serious” because it possibly involved both financial and medical information.
WellPoint’s recent lapse involved a website people can use to check the status of their applications for individual insurance coverage. WellPoint said individuals were able to manipulate the Web address on the site to view unauthorized information.
WellPoint said a third-party vendor — which it did not identify — had completed an upgrade on the website in October and validated that needed security measures were in place, when in fact they were not.
“As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again,” WellPoint spokesman Jon Mills said in an e-mail.
He said the security issue was fixed within 12 hours of being identified in March. WellPoint said it sent letters on June 18 to those whose information was potentially exposed.
Mills added that the company engaged in “extensive forensic IT analysis” from March through June to determine whose information was accessed and who accessed it.
“The analysis is still ongoing, but, out of an abundance of caution, we decided to notify everyone who had information on the application tracker,” Mills said.
Those potentially impacted are being offered free identity-protection services for one year, the company said.
WellPoint learned of the breach in March when an applicant sued WellPoint over the issue in California’s Orange County. WellPoint said most of the Web-address manipulation and resulting unauthorized access to information has come from attorneys representing the applicant who filed suit.
The information included customers’ names, addresses, medical records, credit card numbers, Social Security numbers and other personal information.
WellPoint said it requested by letter and in a court filing that the attorneys return all information gleaned from the website. “As a result, that information has been delivered to a court-approved custodian who will ensure its security,” Mills said in an e-mail.
Information such as names, addresses and credit card numbers for all 470,000 applicants might have been accessed.
WellPoint spokeswoman Cindy Sanders said 940 individual insurance applications were improperly accessed — meaning those people’s medical histories were exposed.
California’s Anthem Blue Cross had the biggest number of potential victims, with about 230,000 applicants whose information was vulnerable. WellPoint, which has 34 million members nationwide, operates Blue Cross and Blue Shield plans in 14 states.
One Internet security expert likened the incident to a security error as basic as leaving your door unlocked in a bad neighborhood.
“What you’ve found is a company that didn’t test its code,” said Alan Paller, director of research at the SANS Institute, a Maryland-based organization that provides information-security training and certification. “That’s an unacceptable programming error, but it’s an error that’s made commonly.”
Call Star reporter Daniel Lee at (317) 444-6311.
To see more of the Indianapolis Star or to subscribe to the newspaper, go to http://www.indystar.com/.
Copyright (c) 2010, The Indianapolis Star
Distributed by McClatchy-Tribune Information Services.
For more information about the content services offered by McClatchy-Tribune Information Services (MCT), visit www.mctinfoservices.com, e-mail email@example.com, or call 866-280-5210 (outside the United States, call +1 312-222-4544)