On April 7, PogoWasRight.org exposed two previously unreported incidents involving WellPoint, Inc. The story was not the end of that site’s investigation, however, and subsequent statements by their spokespeople and a notification by UniCare’s lawyers to the New Hampshire Department of Justice only raised additional questions about what happened and why.
On April 14, PogoWasRight.org wrote to Hinman Straub, attorneys for UniCare, to follow up on a letter they sent to the New Hampshire Department of Justice the day after PogoWasRight.org notified WellPoint about its leaky server(s) and its intent to publish their security problems. On April 17 and 18, PogoWasRight.org also wrote to WellPoint with additional questions. No one replied to any of the requests.
It is now two months later, and WellPoint has yet to issue any additional statement following up on the breach or clarifying what they found in their investigation. So here are some questions that this site thinks need to be answered:
1. On what date was WellPoint first alerted to the exposure problem that resulted in indexing and caching of files by Google, and how did WellPoint find out? What steps did WellPoint’s contractor then take to secure the files other than to use a robots.txt file to request nonindexing by search engines?
2. How many files were indexed by Google and cached in Google, for how long, and how many individuals had PII or PHI in those files? How many individuals had SSN in those files?
3. Did WellPoint determine how many times files containing PII or PHI were accessed by others outside of WellPoint due to the exposure incident?
4. Did WellPoint have any outside security firm check to determine how many files and how many people had PII or PHI indexed or cached in the period February – April 2007? If so, when did the security firm perform that analysis?
5. On April 2, 2008 UniCare’s attorneys notified the New Hampshire Department of Justice:
Approximately one year ago, it was discovered that a computer server that contained protected health information (PHI) was not properly secured by a third party vendor for a period of time, which caused the PHI of certain UniCare members to be temporarily accessible via the internet.
The PHI contained member ID numbers (which in some cases included a social security number) and certain pharmacy/medical data that pertained to the member or the member’s dependents enrolled under the member’s health plan. We quickly initiated an assessment and secured the PHI. We implemented additional security measures to ensure that similar incidents do not recur.
We also notified the members who we determined might have been impacted. On December 27, 2007, we discovered that the PHI of additional members might have been accessible via the internet at the time of this incident. UniCare is addressing this issue with the vendor. Upon notification of the loss, UniCare immediately initiated an investigation into the matter. UniCare has no indication at this time that any instances of identity theft related to this situation have
occurred.
Was it these UniCare members that WellPoint was referring to when they mentioned an “earlier” incident involving 1350 people?
If the incident UniCare’s lawyers describe is the same one WellPoint referred to, did the 1350 figure include everyone affected by the exposure or just those who were notified early last year?
Exactly how did UniCare/WellPoint learn on December 27th that there were more individuals whose data were vulnerable from the exposure incident earlier in 2007? How many more people did they then discover were affected?
If UniCare learned on December 27th that others were affected, why did it take them until April 2 to notify the NH DOJ and — more importantly — to notify those affected?
6. Exactly how and when did WellPoint first learn that a second server had not been properly secured?
7. For how long was that server improperly or inadequately secured? Did WellPoint’s subsequent investigation reveal that more than 128,000 individuals had PII or PHI on that server? If so, how many had data on that server that was inadequately secured?
8. How many members had PII or PHI in files exposed or left vulnerable due to the improperly secured second server?
9. Does the vendor who maintained the servers maintain all servers containing PII or PHI for all WellPoint’s over 34 million members? When did that vendor first take over maintenance of the servers?
10. Prior to April 2008, when was the last time WellPoint brought in an outside security firm to audit or check their security?
11. Has WellPoint now determined whether any other servers were also leaking? Were all files and all servers containing PII and PHI improperly secured by this vendor?
Given the vast amounts of PII and PHI and WellPoint collects and maintains, the potential privacy and security implications of improperly secured servers are enormous.
If the government wants to promote greater use of electronic health records, databases, and networking, it should show that is serious about protecting our data and monitoring for security standards and compliance. Toward that end, Congress should investigate these — and similar — incidents in public hearings so that we can learn what went wrong and what kind of legislation may be needed to better protect the privacy and security of our personal health information.
These were WellPoint’s third and fourth incidents involving unencrypted files since October 2006. While WellPoint is not the only HIPAA-covered entity to experience breaches involving unencrypted data or breaches involving contractors, the four incidents of theirs that we know about comprise millions of records and affected approximately 400,000 people (or more). If the largest commercial health insurance company can keep experiencing problems in securing the privacy and security of our data, how is the public to have trust in the system?
Congress can learn from past security failures if it takes the time to investigate what went wrong and what provisions any new law should incorporate. I hope that they will do so.