WellPoint web vulnerability may affect more than 470,000 people
|
Date Reported:
6/23/10
Organization:
WellPoint, Inc.
Contractor/Consultant/Branch:
Anthem Blue Cross and Blue Shield
Location:
Undisclosed
Victims:
Members and insurance applicants
Number Affected:
"at least 470,000"
Types of Data:
"personal health and financial information, as well as some Social Security numbers"
Breach Description:
"Anthem Blue Cross in California, a unit of WellPoint Inc., during the week of June 21 began notifying about 230,000 members and insurance applicants that a Web site used to apply for individual health policies was breached. Now, Indianapolis-based WellPoint, which operates Blues plans in 14 states, is notifying many more across the nation, with at least 470,000 potentially affected individuals identified."
Reference URL:
The Orange County Register
Creditnet
Health Data Management
Report Credit:
Courtney Perkes, The Orange County Register, also;
An unnamed, informed reader of the Breach Blog
Response:
From the online sources cited above:
Anthem Blue Cross in California, a unit of WellPoint Inc., during the week of June 21 began notifying about 230,000 members and insurance applicants that a Web site used to apply for individual health policies was breached.
[Evan] WellPoint doesn't exactly have the best record when it comes to protecting sensitive personal (and health) information. This is at least the 3rd breach that I recall in the past few years.
Now, Indianapolis-based WellPoint, which operates Blues plans in 14 states, is notifying many more across the nation, with at least 470,000 potentially affected individuals identified.
The Anthem Web site was upgraded last October and a third-party vendor validated all security measures were reinstated.
[Evan] It would be interesting to know who the "third-party vendor" is and what "all security measures were reinstated" means. Reinstating poor security measures still means you have poor security measures.
The company learned in March that personal health and financial information, as well as some Social Security numbers, remained accessible when an applicant filed a lawsuit after discovering the breach.
Newport Beach attorney Mark Robinson filed a class action lawsuit on behalf of a Los Angeles County resident who discovered that her application for insurance was available for public view.
Sanders said it's unclear how many customers' information was viewed, but that letters were sent to 230,000 Californians out of an "abundance of caution."
[Evan] Ugh, seriously?! I get queasy every time I read the "abundance of caution" bit. Companies should be notifying the owners of information because um, I don't know, IT'S THE RIGHT THING TO DO or maybe BECAUSE IT'S THE LAW.
Anthem contends the vast majority of access to data resulted from attorneys involved in the litigation.
The company says it has requested and received all information the attorneys obtained.
WellPoint is offering free credit and identity theft protection services for one year to affected individuals.
Cathy Luckett of San Juan Capistrano was dismayed to learn that Social Security and credit card numbers were potentially viewed.
"I'm thinking this is the 21st century," said Luckett, 57, who bought an individual policy in February. "I expect this company, Anthem Blue Cross, to protect my information."
In a written statement, Anthem Blue Cross explained how the breach occurred:
"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system.
[Evan] How could you miss this one? Seems like a pretty simple exploit.
After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not.
As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."
"There's not one place that has more information on you than your health insurer," said Hal Ziegler, 47, of Mission Viejo. "It's the absolutely most personal level of information all the way down to Social Security numbers. That would be about the last place I would want someone to gain access."
Commentary:
People have a right to be ticked off when their personal information is miss-handled by others. To be honest, WellPoint probably does have a pretty good information security program, but breaches like this one are very irritating. What started off as a smaller legal issue now becomes a much larger one for the company.
And our plug… FRSecure can validate your information security program and controls. Hopefully a lot better than this third-party vendor. ;)
Past Breaches:
WellPoint: Numerous
Posted by Evan Francen at 6/30/2010 12:12 PM 
Categories: WellPoint, Anthem Blue Cross and Blue Shield, Poor Design
Categories: WellPoint, Anthem Blue Cross and Blue Shield, Poor Design
Posts Atom 1.0
Comments