Data breach exposes WellPoint applicants' personal information

Indianapolis-based WellPoint is notifying nearly 500,000 individual policy applicants of possible exposure of personal data on a website used to track applicant status.

The situation came to light when the company was sued by an applicant to WellPoint-owned Anthem Blue Cross of California who was able to manipulate the web address within the site to gain access to other applicants' information. The lawsuit was filed in March.

In a statement e-mailed to American Medical News, WellPoint spokesman Jon Mills said a small number of people were able to access the unauthorized data through this manipulation, but most of them were attorneys representing the plaintiff.

Mills said the ability to manipulate the website was made possible after an upgrade to the system. A third-party vendor validated that all security measures were in place when, in fact, they were not, Mills said. Changes were made to the system soon after the situation was discovered.

WellPoint requested that the attorneys representing the plaintiff return all of the information obtained. The data since has been turned over to a court-approved custodian.

The company is analyzing the data to identify all the individuals whose information may have been accessed before the glitch was corrected. It is unaware that any information was used inappropriately.

The company reported the breach to the Dept. of Health and Human Services, as required by law, which lists reports of breaches affecting more than 500 people online (link).

WellPoint reported that 480,000 people may have been impacted. It is offering identity protection services for one year to those affected.

Mills said WellPoint is weighing its own legal options about the data and any remediation of costs incurred because of the plaintiff's actions.