Risk
11/2/2010
03:45 PM
50%
50%

Indiana AG Sues Wellpoint Over Health Data Breach

Consumer health data was at risk for 137 days through an unsecured Wellpoint website, alleges the suit filed against the health insurer.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view and for full slideshow)

Indiana's attorney general office has filed suit against health insurer Wellpoint for delaying notification of customers of a data breach earlier this year.

Indiana law requires businesses to notify individuals potentially affected by data breaches, as well as the attorney general's office "without reasonable delay," according to a statement by Indiana AG Greg Zoeller's office.

However, the AG office alleges that data, including social security numbers, health records, and financial information for about 32,000 Indiana consumers were potentially available to the general public through an unsecured Wellpoint website for about 137 days, between October 2009 and March 2010. The data was submitted to Wellpoint from applicants seeking insurance coverage.

The AG office alleges that while Wellpoint was notified on February 22 and March 8 of this year that application records containing personal information was accessible from its public website, Wellpoint didn't begin notifying individuals about the security breach until June 18, 2010. Wellpoint did not respond to an inquiry from the AG about news reports regarding the breach until July 30, according to the AG office.

Indiana is seeking $300,000 in civil fines from Wellpoint for the alleged "unreasonable delay" in notifying individuals and the AG's office, according to the AG's statement. The AG's office said it has not received any consumer complaints about identity theft related to the data leak.

"While most inadvertent security breaches do not result in fraud, notifying those affected in a timely manner significantly reduces the risk of identity theft," said the AG office in its statement. "Situations involving the theft of personal information for the purposes of identity theft most often result in some form of fraud occurring within seven to 10 days," said the AG office.

In a statement from Wellpoint sent to InformationWeek in response to seeking comment, the company said, "Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations."

Anthem Blue Cross and Blue Shield is Wellpoint's operations serving several states, including Indiana, Colorado, Connecticut and Maine.

"As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again," said Wellpoint's statement.

"We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted," Wellpoint said.

"We made an effort to communicate directly to each of the applicants who were potentially affected. This communication occurred when our extensive analysis was complete."

Finally, "though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield explaining what happened, and was offered identity protection services for one year at no cost."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.