WellPoint: Data breach caused by attorneys and faulty security update

by Steve Ragan - Jun 29 2010, 18:11

In a statement, WellPoint says a faulty security update and attorneys involved in a class action lawsuit are to blame for a data breach that could have exposed personal information belonging to 470,000 customers.

WellPoint, the nation’s largest health insurer based on a customer base of more than 30 million, said that a system used by Anthem (Blue Cross Clue Shield) customers to track the status of their individual insurance applications was vulnerable due to a failed security update.

“After the upgrade was completed, a third-party vendor validated that all security measures were in place, when in fact they were not,” WellPoint said in a statement to The Tech Herald.

The failed security update was performed in October. As a result, one customer in California discovered she had access to her data, as well as data for other applicants by altering the URL. The data included medical histories, payment information, and other personal information.

WellPoint learned of the vulnerable application in March, after it was subpoenaed in a lawsuit related to the data leak. Once the company had been made aware of the security problems, the broken application was fixed within a matter of hours, preventing further leaks.

From there things get tricky. The reason WellPoint sent 470,000 letters, 230,000 of them to Anthem customers in California, was that the information could have been accessed by anyone. Internal investigations show there was access, but not from a source one would perhaps expect.

“The vast majority of such manipulation and the resulting unauthorized access occurred at the hands of certain attorneys (representing an applicant),” noted WellPoint's statement. “We believe that this manipulation was conducted to support a class action against Anthem Blue Cross and/or its parent company - over the very breach being committed.”

“We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system and as a result, that information has been delivered to a court approved custodian who will ensure its security.”

WellPoint said that “out of abundance of caution,” applicants impacted by the security problem and access by the attorneys will receive a “detailed notification from Anthem Blue Cross explaining what happened, and will be offered identity protection services for one year at no cost.”

For now, WellPoint is looking into its legal options “with respect to the data, the impact - if any - on our members, and the remediation costs incurred as a result of these actions.”

Around the Web