WellPoint Security Breach Put At Risk Information For 470,000 Nationwide

The latest revelations on the Anthem/Wellpoint breach raise some questions for this blogger.

Matthew Sturdevant reports that the recently disclosed Anthem breach may affect many more than the 230,000 recently reported:

An online security breach put at risk the personal, financial and medical information of 470,000 WellPoint customers nationwide, including 5,600 in Connecticut, customers are learning this week in notification letters from the company.

The breach only affects those who used the company’s Web portal to apply for individual-market health insurance through WellPoint subsidiaries, mostly Anthem Blue Cross or Anthem Blue Cross and Blue Shield, in 10 states. It doesn’t affect those who have group-based insurance through WellPoint or Anthem, such as plans offered through an employer, union or some other organization.

BUT: A commenter on a previous thread on had PHIprivacy.net noted that they got the letter and they were not an applicant but an existing customer, so there is still some question in my mind as to exactly who was affected.

In October, WellPoint hired a computer company to update security on its online application process, but the work left a flaw that allowed some to tinker with the system and see other people’s applications, said WellPoint spokesman Cindy Sanders.

Somewhat disturbingly, it seems that after a customer discovered the problem after the upgrade, she got a lawyer and filed suit. But did she ever notify the company so that they could secure the database or did she and her lawyer just file suit? The news story reports:

The company learned of the security flaw in March when it received a subpoena for a lawsuit seeking class-action status in a California court, Sanders said. The security flaws were fixed in March. An internal WellPoint investigation discovered that the information was accessed by fewer than 10 unidentified computers — someone other than the health insurer’s employees and affiliates.

Wellpoint had a major breach back in 2008 that had been exposed by PogoWasRight.org where data were seemingly left with inadequate security for over a year, even after a customer reported the problem to them and even after they had supposedly secured the database. In that case, and this one, the contractor responsible for the security was not named. Was it the same one? The current breach exposed a lot of sensitive data:

Those who hacked into the system could have seen applications, which include a person’s name, Social Security number, credit card information, health information and medical history. Besides Connecticut, the breach affected Anthem and WellPoint customers in California, Colorado, Indiana, Kentucky, Missouri, Nevada, New Hampshire, Ohio and Wisconsin.