Risk

11/2/2010
03:45 PM
50%
50%

Indiana AG Sues Wellpoint Over Health Data Breach

Consumer health data was at risk for 137 days through an unsecured Wellpoint website, alleges the suit filed against the health insurer.

Healthcare Innovators
Slideshow: Healthcare Innovators
(click image for larger view and for full slideshow)

Indiana's attorney general office has filed suit against health insurer Wellpoint for delaying notification of customers of a data breach earlier this year.

Indiana law requires businesses to notify individuals potentially affected by data breaches, as well as the attorney general's office "without reasonable delay," according to a statement by Indiana AG Greg Zoeller's office.

However, the AG office alleges that data, including social security numbers, health records, and financial information for about 32,000 Indiana consumers were potentially available to the general public through an unsecured Wellpoint website for about 137 days, between October 2009 and March 2010. The data was submitted to Wellpoint from applicants seeking insurance coverage.

The AG office alleges that while Wellpoint was notified on February 22 and March 8 of this year that application records containing personal information was accessible from its public website, Wellpoint didn't begin notifying individuals about the security breach until June 18, 2010. Wellpoint did not respond to an inquiry from the AG about news reports regarding the breach until July 30, according to the AG office.

Indiana is seeking $300,000 in civil fines from Wellpoint for the alleged "unreasonable delay" in notifying individuals and the AG's office, according to the AG's statement. The AG's office said it has not received any consumer complaints about identity theft related to the data leak.

"While most inadvertent security breaches do not result in fraud, notifying those affected in a timely manner significantly reduces the risk of identity theft," said the AG office in its statement. "Situations involving the theft of personal information for the purposes of identity theft most often result in some form of fraud occurring within seven to 10 days," said the AG office.

In a statement from Wellpoint sent to InformationWeek in response to seeking comment, the company said, "Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations."

Anthem Blue Cross and Blue Shield is Wellpoint's operations serving several states, including Indiana, Colorado, Connecticut and Maine.

"As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again," said Wellpoint's statement.

"We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted," Wellpoint said.

"We made an effort to communicate directly to each of the applicants who were potentially affected. This communication occurred when our extensive analysis was complete."

Finally, "though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield explaining what happened, and was offered identity protection services for one year at no cost."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12538
PUBLISHED: 2018-06-22
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage...
CVE-2018-12684
PUBLISHED: 2018-06-22
Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file.
CVE-2018-12687
PUBLISHED: 2018-06-22
tinyexr 0.9.5 has an assertion failure in DecodePixelData in tinyexr.h.
CVE-2018-12688
PUBLISHED: 2018-06-22
tinyexr 0.9.5 has a segmentation fault in the wav2Decode function.
CVE-2018-10002
PUBLISHED: 2018-06-22
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.