A sloppy website upgrade is being blamed this week for a data breach that left the most sensitive personal information of more than 230,000 Anthem Blue Cross members exposed for more than five months.
Anthem officials said its corporate website had been revamped in October by a third-party vendor that, according to the health insurer, failed to secure sections of the site to ensure visitors couldn’t access members’ medical records and Social Security numbers.
“We were told by a third-party vendor that all security measures were in place,” Cynthia Sanders, an Anthem spokeswoman, said in a statement.
As it turns out, visitors were able to access the personal information of the more than 230,000 people who had pending insurance applications in the Anthem system.
But it wasn’t until attorneys filed a class action suit on behalf of the violated members that Anthem became aware of the data breach. A subsequent internal investigation revealed that at least one affected member and his or her attorneys managed to infiltrate the website repeatedly to access what was supposed to be secured data.
“As soon as we heard about the attorneys, we went in, discovered the problem and fixed it immediately,” Sanders said.
This is hardly the first time a major U.S. health insurer has failed to adequately safeguard the medical records and personal data that cyber thieves crave to fuel their elaborate identity theft rings.
In January, Blue Cross and BlueShield officials in Tennessee were forced to notify between 200,000 and 500,000 members that their data was exposed after someone managed to steal a total of 57 computer hard drives from a closet at its Chattanooga, Tenn. call center.
In that instance, drives contained more than 1.3 million audio files of recorded conversations between customer service representatives and customers and another 300,000 video files from images on customer service reps’ computer screens that captured members’ Social Security numbers, birth dates, addresses and medical information.
Then in February, more than 200,000 AvMed Health Plan subscribers discovered that their Social Security numbers, medical records and addresses had been exposed after a pair of laptops were stolen from the insurer’s Gainesville, Fla. corporate headquarters.
Officials at Woodland Hills, Calif.-based Anthem Blue Cross said they have no idea how many times the information was accessed and immediately began sending out notification letters to affected applicants once they learned of the security gaffe.
The insurer is offering free credit-monitoring service for a year to all affected members.