Anthem Blue Cross, the trade name for Blue Cross of California, is notifying about 230,000 members and applicants for insurance that a Web site used to apply for individual health insurance policies was breached.

The insurer says attorneys working on a class action lawsuit were able to access medical information and credit card and Social Security numbers, among other information, because all security mechanisms were not reinstated following an October 2009 upgrade.

An attorney representing affected individuals told the Associated Press that the information was not secure for five months. What follows is a statement that Anthem Blue Cross has issued:

"Anthem Blue Cross is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations.

"We recently learned of a situation in which a small number of individuals manipulated the web address (URL) within the web site we use to allow people applying for individual insurance to track the status of their insurance applications. Through this manipulation, some of these individuals gained unauthorized access to certain private information. The vast majority of such manipulation and the resulting unauthorized access occurred at the hands of certain attorneys (representing an applicant).  We believe that this manipulation was conducted to support a class action against Anthem Blue Cross and/or its parent company - over the very breach being committed.

"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again.

"We have requested both by letter and in court filings that the attorneys return all information improperly obtained from the individual application system and as a result, that information has been delivered to a court approved custodian who will ensure its security.

"We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted and prepared to communicate directly to affected members and applicants as soon as possible. As stated above, all information acquired by the attorneys has been transferred to the court's custodian and beyond that, we have received no indication that any other information accessed has been used inappropriately.

"Out of abundance of caution, all appropriate applicants will receive a detailed notification from Anthem Blue Cross explaining what happened, and will be offered identity protection services for one year at no cost.

"We are currently weighing our legal options with respect to the data, the impact - if any - on our members, and the remediation costs incurred as a result of these actions."

This article can also be found at HealthDataManagement.com.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access