WellPoint customer information exposed for a year
Technorati Tag: Security Breach
Date Reported:
4/8/08
Organization:
WellPoint, Inc.
Contractor/Consultant/Branch:
An unnamed data management vendor
Victims:
Customers
Number Affected:
~128,000
Types of Data:
"may have included Social Security numbers and pharmacy or medical data"
Breach Description:
"Personal information that may have included Social Security numbers and pharmacy or medical data for about 128,000 WellPoint Inc. customers in several states was exposed online over the past year, the health insurer said Tuesday."
Reference URL:
CORRECTED: PogoWasRight
BusinessWeek
The Courier-Journal
RTT News
Report Credit:
CORRECTED: Associated Press via Tom Murphy at BusinessWeek
PogoWasRight
Response:
From the online sources cited above:
Personal information that may have included Social Security numbers and pharmacy or medical data for 128,000 WellPoint customers in several states was exposed online over the past year, the Indianapolis health insurer said yesterday.
[Evan] Exposed for over a year and nobody (at WellPoint or the vendor anyway) noticed until recently? WellPoint is a large company with millions of confidential records and conflicting business issues, but is this any excuse?
WellPoint, which has had other data security issues in the past, recently learned about the problem, fixed it and is notifying customers, spokeswoman Shannon Troughton said.
The nation's largest health insurer by membership is offering free credit-monitoring services for those customers, but has received no reports of identity theft or credit fraud.
[Evan] Uh. There's the short-sighted, limited effectiveness credit-monitoring again. Credit monitoring can limit the damage done by fraudsters, but only after some damage has already been done.
The latest security lapse stems from two servers maintained by an outside vendor that Troughton declined to identify.
The vendor specializes in data management.
[Evan] Not very well. Part of data management is data security or vice versa.
WellPoint had learned early last year that a server was improperly secured, and that information on about 1,350 customers may have been exposed online and was vulnerable to Internet search engines. The insurer fixed that breach quickly, Troughton said.
But the company recently learned that a second server had problems which exposed information for more than 128,000 customers to Internet access for about a year. That data had some code protection and couldn't be found by people using search engines.
That problem has been corrected, Troughton said, and the company is working with experts to improve its security.
[Evan] Yeah. I hope the experts are really experts. This really calls for some.
It is still using the same vendor.
[Evan] Really?
"We're constantly working to fortify and bolster our security," she said.
Commentary:
I just wrote the WellCare breach, and now we have the WellPoint breach. Both are health care companies and both involved unsecured online information. Weird.
Anyway. This is definitely a preventable exposure of personal information that should have been identified much earlier. Due to this and other facts surrounding previous breaches, I think there is cause for serious concern.
Past Breaches:
March, 2007 - Medical Data on Empire Blue Cross Members May Be Lost
February, 2007 - Healthcare groups bleed patient data
Date Reported:4/8/08
Organization:
WellPoint, Inc.
Contractor/Consultant/Branch:
An unnamed data management vendor
Victims:
Customers
Number Affected:
~128,000
Types of Data:
"may have included Social Security numbers and pharmacy or medical data"
Breach Description:
"Personal information that may have included Social Security numbers and pharmacy or medical data for about 128,000 WellPoint Inc. customers in several states was exposed online over the past year, the health insurer said Tuesday."
Reference URL:
CORRECTED: PogoWasRight
BusinessWeek
The Courier-Journal
RTT News
Report Credit:
CORRECTED: Associated Press via Tom Murphy at BusinessWeek
PogoWasRight
Response:
From the online sources cited above:
Personal information that may have included Social Security numbers and pharmacy or medical data for 128,000 WellPoint customers in several states was exposed online over the past year, the Indianapolis health insurer said yesterday.
[Evan] Exposed for over a year and nobody (at WellPoint or the vendor anyway) noticed until recently? WellPoint is a large company with millions of confidential records and conflicting business issues, but is this any excuse?
WellPoint, which has had other data security issues in the past, recently learned about the problem, fixed it and is notifying customers, spokeswoman Shannon Troughton said.
The nation's largest health insurer by membership is offering free credit-monitoring services for those customers, but has received no reports of identity theft or credit fraud.
[Evan] Uh. There's the short-sighted, limited effectiveness credit-monitoring again. Credit monitoring can limit the damage done by fraudsters, but only after some damage has already been done.
The latest security lapse stems from two servers maintained by an outside vendor that Troughton declined to identify.
The vendor specializes in data management.
[Evan] Not very well. Part of data management is data security or vice versa.
WellPoint had learned early last year that a server was improperly secured, and that information on about 1,350 customers may have been exposed online and was vulnerable to Internet search engines. The insurer fixed that breach quickly, Troughton said.
But the company recently learned that a second server had problems which exposed information for more than 128,000 customers to Internet access for about a year. That data had some code protection and couldn't be found by people using search engines.
That problem has been corrected, Troughton said, and the company is working with experts to improve its security.
[Evan] Yeah. I hope the experts are really experts. This really calls for some.
It is still using the same vendor.
[Evan] Really?
"We're constantly working to fortify and bolster our security," she said.
Commentary:
I just wrote the WellCare breach, and now we have the WellPoint breach. Both are health care companies and both involved unsecured online information. Weird.
Anyway. This is definitely a preventable exposure of personal information that should have been identified much earlier. Due to this and other facts surrounding previous breaches, I think there is cause for serious concern.
Past Breaches:
March, 2007 - Medical Data on Empire Blue Cross Members May Be Lost
February, 2007 - Healthcare groups bleed patient data
Posts Atom 1.0
Evan:
The breach was first exposed by PogoWasRight.org, not the AP reporter, who simply got the first mainstream media response to our expose. We would appreciate it if your site linked to the report that set all of the MSM journos running: http://www.pogowasright.org/staticpages/index.php?page=20080407084747373
And if any of your readers receive a notification letter from WellPoint, please send our site a copy.
Thanks.
Reply to this
Thanks for the correction! I will take your word for it and update the Breach Blog post accordingly.
Thanks again.
Evan
Reply to this