Written by Kenneth Gantz
Anthem Blue Cross is notifying approximately 230,000 members and applicants for individual health insurance of a breach involving a web site used by individuals to apply for insurance and track the status of their applications. Anthem claims that attorneys managed to manipulate the web address within the web site in order to obtain information in support of a class action lawsuit against the insurer.
The attorneys were apparently able to access medical information in addition to Social Security and credit card numbers, resulting from a failure to reinstate security mechanisms following an October 2009 upgrade to the web site. As part of a statement issued by the company, Anthem offered the following: "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that discovered, we made the necessary security changes to prevent it from happening again. "We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system and as a result, that information has been delivered to a court approved custodian who will ensure its security.”
Interestingly, Anthem said that “out of an abundance of caution” it is providing a detailed notification explaining what happened to individuals who might be affected by the breach, but apparently no legal obligation from its point of view. California law requires that affected residents be notified of breaches of health information. See /newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf. The insurer will also offer notified individuals a year of free identity protection services. Meanwhile, Anthem is weighing legal action it might take “with respect to the data, the impact—if any—on our members, and the remediation costs incurred as a result of these actions.”