14 DAY TRIAL // A bogus upgrade on the Anthem Blue Cross website has left the personally identifiable information of around 230,000 people freely accessible on the Internet for months. The company is sending out notification letters to affected individuals and is offering them a free one-year subscription with an identity protection service.
Anthem Blue Cross is the brand name under which WellPoint, the largest company in the Blue Cross and Blue Shield Association, is selling health insurance services in several states. The IEEE Spectrum magazine, reports that the Anthem Blue Cross website suffered from a glitch, which allowed several lawyers, working on an action class lawsuit against the company, to view personal data on pending customers.
The website section allowed people with health insurance applications pending at Anthem Blue Cross to view their status. However, this online tool was left unprotected and could be accessed through simple URL manipulation following an October 2009 upgrade.
"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again," the company explained.
It is not clear how many people's information was actually viewed by the attorneys working on the case. Nevertheless, this data is expected to include personally identifiable details such as names, phone numbers, addresses and Social Security Numbers (SSNs) at the very least.
The company expressed its appologies for the incident and started notifying all 230,000 potentially affected individuals last week via regular mail. The notification letters inform recipients that a one-year subscription with an identity protection service is available to them for free.
You can follow the editor on Twitter @lconstantin