More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company's website. Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed. Anthem Blue Cross merged with WellPoint in 2004.
UPDATE (6/29/2010): Around 470,000 customers in 10 states were notified of the breach. The original story states that only applicants were affected, but existing customers also received notification of a possible breach of their information.
UPDATE (7/12/2010): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the exposure of their Social Security numbers and financial information. It is unclear whether these residents are included in the original 470,000 customers. Only customers who were self insured were affected. WellPoint is claiming that this and other recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint.
UPDATE (9/17/2010): An Anthem applicant whose information was exposed by the breach filed a lawsuit against Anthem at the Los Angeles County Superior Court. The lawsuit claims that the breach exposed applicants and clients to identity theft. An applicant behind the lawsuit is seeking class action status.
UPDATE (10/29/2010): The office of the Attorney General of Indiana is suing WellPoint Inc. because of the company's delay in notifying customers of the breach. WellPoint is accused of violating an Indiana law that requires
businesses to provide notification of breaches in a timely manner and
faces $300,000 in fines. State officials believe WellPoint was aware of the exposure in late February, but waited until June to notify customers.
UPDATE (7/5/2011): WellPoint Inc. will pay Indiana a $100,000 settlement for violating a 2009 data breach notification law. Customer data was accessible between October 23, 2009 and March 8, 2010. One or more consumers informed WellPoint of the problem on February 22, 2010 and again on March 8, 2010. WellPoint began notifying consumers on June 18, 2010.
UPDATE (07/13/2013): About 612,000 individuals may have had their names, Social Security numbers, dates of birth, addresses, telephone numbers, health information, and other electronic protected health information exposed. WellPoint paid HHS $1.7 million in fines.