Anthem Blue Cross Fined in Breach Case

State Settlement Also Requires Process Changes
Anthem Blue Cross Fined in Breach Case

California Attorney General Kamala Harris has entered into a settlement with Anthem Blue Cross in a data breach case involving the insurer mailing almost 34,000 letters printed with the Social Security numbers of certain members viewable through the envelopes' windows.

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

Under the terms of the settlement recently filed in Superior Court of California, County of Los Angeles, Anthem Blue Cross, also known as California Blue Cross, agreed to pay a $150,000 penalty. That payment by one of California's largest insurers includes $40,000 that's being placed in a state Unfair Competition Law Fund and $110,000 for legal and investigative costs related to the case.

The privacy breach case involved a marketing letter Anthem Blue Cross sent in April 2011 to more than 31,000 Medicare supplemental coverage members and more than 2,600 payment collection letters to Medicare Part D members mailed between December 2011 and March 2012.

The state charged that Anthem Blue Cross' "acts and practices of unfair competition" violated state privacy laws regarding printing and publicly displaying Social Security numbers

Corrective Action

In addition to the monetary payments, the insurer also must implement a number of breach prevention procedures within 90 days, according to the settlement. Those include:

  • Creating a written policy that prevents unauthorized disclosure of its members' Social Security numbers;
  • Implementing technical safeguards and alerts in its data management systems used for member mailings to help prevent disclosure of Social Security numbers;
  • Renaming of the data fields number in its computer systems used for member and prospect mailings to clearly convey when a field contains a Social Security number;
  • Restricting access by its non-management staff members to member Social Security numbers in computer systems used for mailings;
  • Requiring approval from a member of its senior compliance privacy team for prospect and current member data pulls related to marketing mailings that involve confidential information other than name and address;
  • Developing a comprehensive training program regarding safeguarding confidential personal information of its members.

Earlier, Anthem Blue Cross offered members affected by the breach one year of free credit monitoring.

In a statement, the insurer says: "It is important to note there is no indication of a data breach or that any information from these mailings was used in a way that was detrimental to our members. Anthem has put training and processes in place to correct these errors.

"Additionally, we have developed an alert system that will be activated whenever sensitive information is requested from our marketing system. We have cooperated fully in the attorney general's inquiry."

In 2010, Anthem Blue Cross was one of several units of WellPoint Inc. that eventually notified a total of 480,000 people who applied for individual health insurance coverage that their information may have been breached on a website.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.