WellPoint Notifies 470,000 of Web Breach

Glitch Made Some Applicant Information Accessible Online
WellPoint Notifies 470,000 of Web Breach
(This is an updated version of an earlier story about a breach at Anthem Blue Cross, which was just one of the Wellpoint units involved in this incident).

WellPoint Inc., which owns Blue Cross and Blue Shield plans in 14 states, is notifying 470,000 people who applied for individual health insurance coverage that their information may have been breached on a web site.

The insurer became aware of the breach March 8, when it was notified that one insurance applicant filed a class action lawsuit claiming applicant information was readily accessible on the web site, says Roy Mellinger, WellPoint's vice president of information technology security and chief information security officer. The insurer fixed the web glitch that made the data accessible within 12 hours of confirming the problem, he adds.

WellPoint launched an extensive forensics investigation, which is continuing, that determined that attorneys for the plaintiff in the case accessed 2,000 or less "screen view" summary records in a format similar to a spreadsheet, Mellinger says. Some of these summaries included Social Security numbers. The investigation, however, could not pinpoint which applicants' records were accessed.

As a result, the insurer decided to notify all 470,000 applicants in its database about the breach. Such notification is required under the HITECH Act breach notification rule. Those notified had applied for individual coverage in many, but not all, of WellPoint's health plans,including Anthem Blue Cross, also known as Blue Cross of California.

Of the screen view summaries that were accessed, 935 linked to PDF files with more information. The attorneys for the plaintiff accessed 240 of those PDFs, Mellinger says.

The notification of 470,000 would make this the third largest breach reported to the Health and Human Services Office for Civil Rights, although the incident had not yet been posted to its official breach list as of June 24.

How It Happened

When someone applies for WellPoint's individual coverage, they receive a URL for an application tracker program where they can get updates on the status of their application. "For a brief period of time, security was not functioning properly," Mellinger explains. The problem occurred following an upgrade to the system.

"After the upgrade was completed, a third-party vendor validated that all security measures were in place when, in fact, they were not," according to a statement from the insurer.

As a result of the glitch, the plaintiff in the case was able to access private information on the site by back spacing out of the URL she was sent, Mellinger says. She called attorneys, who then accessed even more information before filing the lawsuit, he adds.

As a result of court filings by the insurer, certain information acquired by the attorneys has been delivered to a court-approved custodian, Mellinger says.

Although there is no evidence that any data was misused, WellPoint is offering all 470,000 insurance applicants in its database a year's worth of free identity and credit protection services "out of an abundance of caution," the security officer adds.

"We are currently weighing our legal options with respect to the data, the impact, if any, on our members, and the remediation costs incurred as a result of these actions," the insurer said in its statement.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network