Risk
11/2/2010
03:45 PM
50%
50%

Indiana AG Sues Wellpoint Over Health Data Breach

Consumer health data was at risk for 137 days through an unsecured Wellpoint website, alleges the suit filed against the health insurer.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view and for full slideshow)

Indiana's attorney general office has filed suit against health insurer Wellpoint for delaying notification of customers of a data breach earlier this year.

Indiana law requires businesses to notify individuals potentially affected by data breaches, as well as the attorney general's office "without reasonable delay," according to a statement by Indiana AG Greg Zoeller's office.

However, the AG office alleges that data, including social security numbers, health records, and financial information for about 32,000 Indiana consumers were potentially available to the general public through an unsecured Wellpoint website for about 137 days, between October 2009 and March 2010. The data was submitted to Wellpoint from applicants seeking insurance coverage.

The AG office alleges that while Wellpoint was notified on February 22 and March 8 of this year that application records containing personal information was accessible from its public website, Wellpoint didn't begin notifying individuals about the security breach until June 18, 2010. Wellpoint did not respond to an inquiry from the AG about news reports regarding the breach until July 30, according to the AG office.

Indiana is seeking $300,000 in civil fines from Wellpoint for the alleged "unreasonable delay" in notifying individuals and the AG's office, according to the AG's statement. The AG's office said it has not received any consumer complaints about identity theft related to the data leak.

"While most inadvertent security breaches do not result in fraud, notifying those affected in a timely manner significantly reduces the risk of identity theft," said the AG office in its statement. "Situations involving the theft of personal information for the purposes of identity theft most often result in some form of fraud occurring within seven to 10 days," said the AG office.

In a statement from Wellpoint sent to InformationWeek in response to seeking comment, the company said, "Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations."

Anthem Blue Cross and Blue Shield is Wellpoint's operations serving several states, including Indiana, Colorado, Connecticut and Maine.

"As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again," said Wellpoint's statement.

"We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted," Wellpoint said.

"We made an effort to communicate directly to each of the applicants who were potentially affected. This communication occurred when our extensive analysis was complete."

Finally, "though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield explaining what happened, and was offered identity protection services for one year at no cost."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.