From the CTWatchdog:
Connecticut Attorney General Richard Blumenthal is investigating a massive security breach that allegedly compromised private financial and health information on nearly a half million WellPoint consumers, including thousands in Connecticut.
In a letter to WellPoint Inc., Blumenthal has requested detailed information about how the breach occurred, what steps have been taken to protect the affected individuals, and what new procedures have been adopted to prevent future breaches.
Blumenthal is also calling on WellPoint to provide the same protection that other companies have done after similar breaches — at least two years of credit monitoring, at least $25,000 of identity theft insurance and expenses covered to impose and later lift any security freeze on consumers’ credit reports.
[…]
Blumenthal is seeking a response by July 9. The information he is seeking includes:
- the name and address of the computer company who updated the online application process in October 2009;
- What security protections, hardware or software, were present or used on the online application system prior to the upgrade;
- the categories of information contained on the online system and compromised by this breach;
- the process by which someone would be able to “manipulated the URL address” in order to view other individuals’ information;
- Prior measures to safeguard sensitive information;
- how and when WellPoint first learned about the breach;
- the circumstances under which the information was accessed or viewed by anyone without authorization;
- what, if any, security protocols or procedures were in effect to prevent the exposure of private information to users or applicants using the online system;
- the number of individuals affected by this incident and their state of residence;
- all steps taken to determine what caused the flaw in the online application system and the time period in which private information was publicly available;
- how WellPoint determined that the information was accessed by fewer than 10 unidentified computers — someone other than the health insurer’s employees and affiliates;
- copies of all investigative reports or audits relative to this incident;
- all steps taken or that will be taken to warn all affected persons that their private information may have been compromised, and copies of any notification letters already sent;
- an outline of any plan to prevent a future breach and a timeline for implementing that plan; and
- corporate policies regarding securing servers, databases, or other systems containing private information.