Risk

11/2/2010
03:45 PM
50%
50%

Indiana AG Sues Wellpoint Over Health Data Breach

Consumer health data was at risk for 137 days through an unsecured Wellpoint website, alleges the suit filed against the health insurer.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view and for full slideshow)

Indiana's attorney general office has filed suit against health insurer Wellpoint for delaying notification of customers of a data breach earlier this year.

Indiana law requires businesses to notify individuals potentially affected by data breaches, as well as the attorney general's office "without reasonable delay," according to a statement by Indiana AG Greg Zoeller's office.

However, the AG office alleges that data, including social security numbers, health records, and financial information for about 32,000 Indiana consumers were potentially available to the general public through an unsecured Wellpoint website for about 137 days, between October 2009 and March 2010. The data was submitted to Wellpoint from applicants seeking insurance coverage.

The AG office alleges that while Wellpoint was notified on February 22 and March 8 of this year that application records containing personal information was accessible from its public website, Wellpoint didn't begin notifying individuals about the security breach until June 18, 2010. Wellpoint did not respond to an inquiry from the AG about news reports regarding the breach until July 30, according to the AG office.

Indiana is seeking $300,000 in civil fines from Wellpoint for the alleged "unreasonable delay" in notifying individuals and the AG's office, according to the AG's statement. The AG's office said it has not received any consumer complaints about identity theft related to the data leak.

"While most inadvertent security breaches do not result in fraud, notifying those affected in a timely manner significantly reduces the risk of identity theft," said the AG office in its statement. "Situations involving the theft of personal information for the purposes of identity theft most often result in some form of fraud occurring within seven to 10 days," said the AG office.

In a statement from Wellpoint sent to InformationWeek in response to seeking comment, the company said, "Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations."

Anthem Blue Cross and Blue Shield is Wellpoint's operations serving several states, including Indiana, Colorado, Connecticut and Maine.

"As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again," said Wellpoint's statement.

"We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted," Wellpoint said.

"We made an effort to communicate directly to each of the applicants who were potentially affected. This communication occurred when our extensive analysis was complete."

Finally, "though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield explaining what happened, and was offered identity protection services for one year at no cost."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.