Written by Kenneth Gantz
Anthem Blue Cross is notifying approximately 230,000 members and applicants for individual health insurance of a breach involving a web site used by individuals to apply for insurance and track the status of their applications. Anthem claims that attorneys managed to manipulate the web address within the web site in order to obtain information in support of a class action lawsuit against the insurer.
The attorneys were apparently able to access medical information in addition to Social Security and credit card numbers, resulting from a failure to reinstate security mechanisms following an October 2009 upgrade to the web site.As part of a statement issued by the company, Anthem offered the following: "The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that discovered, we made the necessary security changes to prevent it from happening again."We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system and as a result, that information has been delivered to a court approved custodian who will ensure its security.”
Interestingly, Anthem said that “out of an abundance of caution” it is providing a detailed notification explaining what happened to individuals who might be affected by the breach, but apparently no legal obligation from its point of view. California law requires that affected residents be notified of breaches of health information. See http://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf. The insurer will also offer notified individuals a year of free identity protection services. Meanwhile, Anthem is weighing legal action it might take “with respect to the data, the impact—if any—on our members, and the remediation costs incurred as a result of these actions.”
Related Links:http://www.insurancenetworking.com/news/health_insurance_technology_Anthem_Blue_Cross_data_security_risk-25114-1.html
AddThis
Subscribe To
Posts
Comments
About The Editor and Contributors
Cynthia Larose is a member in Mintz Levin's Corporate Group and leads our Privacy and Security practice. She is a Certified Information Privacy Professional, working with clients in various industries to develop comprehensive information security programs on the front end, and providing timely counsel when it becomes necessary to respond to a data breach. For Cynthia's complete Biography, visit Mintz Levin corporate website here
Contributors
Dianne Bourque - Bio
Elissa Flynn-Poppey - Bio
Haydon A. Keitner - Bio
Lance Kurata - Bio
Kevin M. McGinty - Bio
Jennifer Rubin - Bio
Julia Siripurapu - Bio
Michael S. Arnold - Bio
