Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization:
Date Made Public:
July 31, 2017
Company: Anthem
Location: Indianapolis, Indiana
Type of breach:
INSD
Type of organization:
BSF
Records Breached:
18,500

"A data breach may have exposed personal health information of more than 18,000 Anthem Medicare enrollees, after one of the insurer's health care consulting firms discovered that one of its employees had been involved in identity theft.

Anthem says it was contacted about the breach by the consulting firm LaunchPoint Ventures on June 14. LaunchPoint discovered two months earlier that one of its employees had been involved in involved in a case of identity theft, and further investigation discovered that the worker had "emailed a file with information about Anthem companies' members to his personal email address," a year ago.

In all, more than 18,500 Anthem Medicare members' Social Security and Medicare identification data may have been exposed. The health insurer reported the breach to the Department of Health and Human services on July 24, the same day LaunchPoint began notifying members, according to an Anthem spokeswoman."

Anthem post: https://www.anthem.com/blog/member-news/launchpoint-privacy-concern-impacts-medicare-members/

Information Source:
Media
Date Made Public:
July 31, 2017
Company: Anthem Blue Cross Blue Shield
Location: Indianapolis, Indiana
Type of breach:
INSD
Type of organization:
MED
Records Breached:
18,000

"Anthem BlueCross BlueShield began notifying customers last week of a breach affecting about 18,000 Medicare members. The breach stemmed from Anthem’s Medicare insurance coordination services vendor LaunchPoint Ventures, based in Indiana.

LaunchPoint discovered on April 12 that an employee was likely stealing and misusing Anthem and non-Anthem data. The employee emailed a file containing information about Anthem’s members to his personal address on July 8, 2016.

The file contained Medicare ID numbers, including Social Security numbers, Health Plan ID numbers, names and dates of enrollment. Officials said limited last names and dates of birth were included."

Information Source:
Media
Date Made Public:
October 26, 2016
Company: Anthem, Inc.
Location: , Indiana
Type of breach:
DISC
Type of organization:
MED
Records Breached:
3,525

The covered entity’s (CE) employee emailed protected health information (PHI) to himself, claiming it was for commission reconciliation purposes. The CE ensured that all the PHI was deleted from the employee’s home computer and smart phones. The employee resigned from the company, and attested that all PHI was deleted from his devices. The CE provided breach notification to HHS, affected individuals, and the media and substitute notice was posted on the CE's websites on October 29, 2016, and will remain posted through January 27, 2017. To prevent a similar breach from happening in the future, the CE retrained its Medicare sales workforce, took steps to ensure that the former employee can no longer work or sell the CE's products, and changed its commission statement to reflect only the minimum necessary PHI. OCR obtained written assurances that the CE implemented the corrective actions listed above.

Location of breached information: Email

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
March 13, 2015
Company: Anthem, Inc. Affiliated Covered Entity
Location: , Indiana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
78,800,000

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
February 13, 2015
Company: Anthem (Working file)
Location: , Indiana
Type of breach:
HACK
Type of organization:
MED
Records Breached:
0

Location of breached information: Network Server

Business associate present: No

Information Source:
US Department of Health and Human Services
Date Made Public:
February 5, 2015
Company: Anthem
Location: Indianapolis, Indiana
Type of breach:
HACK
Type of organization:
BSF
Records Breached:
80,000,000

Anthem, the second largest health insurance company operating under Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink has suffered a massive data breach.

The company announced that they have been the victim of a "very sophisticated external cyber attack" on their system. The information compromised includes names, birthdays, medical ID's, Social Security Numbers, street addresses, e-mail addresses, employment and income information.

Over the next several weeks, those who were affected will be receiving some form of identity theft protection.

For those members with questions regarding the breach, the company has set up a toll- free line at 1-877-263-79951-877-263-7995 FREE.

More Information: For the statement by Anthem's CEO Joseph R. Swedish and the dedicated website created for customer information, click here.

Additional Information: http://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-se...

UPDATE (2/10/2015): As further investigations are pursued regarding the Anthem breach, research by Brian Krebs and others show that the hacking began as early as April 2014 and is pointing to Chines hacker group known as "Deep Panda". 

At the time, Anthem was called Wellpoint, and upon further investigation Krebs "discovered a series of connected domain names that appear to imitate actual Wellpoint sites, including we11point.com and myhr.we11point.com."

Because these sites were contructed almost 10 months prior, the question has now been raised as to why it took the company such a long time to uncover the hacking.

More Information: http://thehill.com/policy/cybersecurity/232285-analysis-anthem-attack-ma...

Information Source:
Media
Date Made Public:
November 10, 2014
Company: Anthem Blue Cross
Location: Southern and Northern California cities, California
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
0

Anthem Blue Cross in California sent text emails with personal details about individuals health information and member specific demographic information such as age, language spoken, specific medical test received or not received as part of the text message.

The company is reviewing whether or not they have to report this information as part of the specific notification laws in California, which does include the breach of medical history, mental or physical condition, medical treatment or diagnosis by a health care professional.

A spokesperson for Blue Cross stated that they are investigating the incident.

More Information: http://bits.blogs.nytimes.com/2014/11/10/oops-health-insurer-exposes-mem...

 

Information Source:
Media
Date Made Public:
November 26, 2013
Company: Anthem Blue Cross
Location: , California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
24,500

The Social Security numbers and tax identification numbers of around 24,500 California doctors were accidentally posted in Anthem's online provider directory.  The information was available online at the end of October for about 24 hours.

Information Source:
Media
Date Made Public:
August 13, 2013
Company: Anthem BCBS of GA
Location: , Indiana
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
5,497

The covered entity's (CE) sales representative used an incorrect group number based on an erroneous membership and data file, resulting in an impermissible disclosure of protected health information (PHI) to the CE's business associate (BA). This breach affected approximately 5,497 individuals and included demographic information. Following the breach, the CE obtained certification that the BA destroyed the PHI and determined that there was a low risk of harm to the affected individuals. The CE also sent a memorandum and its corrective action/sanction policy to the account manager's staff regarding quality control procedures, instituted an additional quality control procedure, and counseled the involved sales representative. OCR obtained assurances that the CE implemented the corrective action listed above.
\
\

Location of breached information: Other

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
April 9, 2013
Company: Connextions, Anthem Blue Cross Blue Shield of Indiana, Anthem Blue Cross Blue Shield of Ohio, Empire Blue Cross Blue Shield of Indiana
Location: Orlando, Florida
Type of breach:
INSD
Type of organization:
MED
Records Breached:
6,000

A Connextions employee used Social Security numbers from a number of other organizations for criminal activity.  At least four members of Anthem Blue Cross and Blue Shield were affected by the criminal activity.  The breach was reported on HHS as affecting 4,814 patients, but more were affected.

Information Source:
HHS via PHIPrivacy.net
Date Made Public:
March 14, 2013
Company: Connextions c/o Anthem BCBS
Location: , Indiana
Type of breach:
PHYS
Type of organization:
MED
Records Breached:
1,678

From November 11, 2011 through October 1, 2012, an employee of the covered entity’s (CE) business associate (BA), Connextions, improperly accessed the protected health information (PHI) of the CE's Medicare members, and the employee may have disclosed their social security numbers to a third party. This breach affected approximately 528 Indiana members. The PHI involved in the breach included demographic information and social security numbers. The CE provided breach notification to HHS, affected individuals, and the media, and posted substitute notice on its website. Following the breach, the BA completed a security risk assessment, phased out the call center where the at-fault employee worked, and engaged in an independent, external audit. OCR reviewed the BA agreement in place between the CE and BA and obtained assurances that the CE and BA implemented corrective actions in this matter. In addition, the involved individual’s employment was terminated.

Location of breached information: Network Server

Business associate present: Yes

Information Source:
US Department of Health and Human Services
Date Made Public:
May 13, 2011
Company: Anthem Blue Cross
Location: Westlake Village, California
Type of breach:
DISC
Type of organization:
BSF
Records Breached:
31,125

Letters soliciting dental and vision coverage were mailed to current Anthem customers.  A priority code composed of the customer's Social Security number and two extra digits was printed on the outside of each envelope.  One customer noticed the error and contacted the media.  Anthem admits that an error occurred, but did not reveal the cause. Anthem is working to prevent this type of breach from happening again and was in the process of notifying customers of the error as of May 12. 

UPDATE (10/01/2012): Anthem experienced the marketing mailer error on April 27, 2011.  The State of California settled with Anthem in September of 2012. Anthem agreed to pay $150,000 and to make significant improvements to its data security procedures to prevent future errors of a similar type..

Information Source:
PHIPrivacy.net
Date Made Public:
June 23, 2010
Company: Anthem Blue Cross, WellPoint
Location: Pasadena, California
Type of breach:
DISC
Type of organization:
MED
Records Breached:
470,000

More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company's website. Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  Anthem Blue Cross merged with WellPoint in 2004.

UPDATE (6/29/2010): Around 470,000 customers in 10 states were notified of the breach.  The original story states that only applicants were affected, but existing customers also received notification of a possible breach of their information.

UPDATE (7/12/2010): 20,000 Louisville, Kentucky residents received notification that a security mistake online resulted in the exposure of their Social Security numbers and financial information.  It is unclear whether these residents are included in the original 470,000 customers.  Only customers who were self insured were affected. WellPoint is claiming that this and other recent breaches were committed by an attorney or attorneys attempting to gain information for a lawsuit against WellPoint.

UPDATE (9/17/2010): An Anthem applicant whose information was exposed by the breach filed a lawsuit against Anthem at the Los Angeles County Superior Court. The lawsuit claims that the breach exposed applicants and clients to identity theft.  An applicant behind the lawsuit is seeking class action status.

UPDATE (10/29/2010): The office of the Attorney General of Indiana is suing WellPoint Inc. because of the company's delay in notifying customers of the breach. WellPoint is accused of violating an Indiana law that requires businesses to provide notification of breaches in a timely manner and faces $300,000 in fines.  State officials believe WellPoint was aware of the exposure in late February, but waited until June to notify customers. 

UPDATE (7/5/2011): WellPoint Inc. will pay Indiana a $100,000 settlement for violating a 2009 data breach notification law.  Customer data was accessible between October 23, 2009 and March 8, 2010.  One or more consumers informed WellPoint of the problem on February 22, 2010 and again on March 8, 2010.  WellPoint began notifying consumers on June 18, 2010.

UPDATE (07/13/2013): About 612,000 individuals may have had their names, Social Security numbers, dates of birth, addresses, telephone numbers, health information, and other electronic protected health information exposed.  WellPoint paid HHS $1.7 million in fines.  

Information Source:
Dataloss DB
Date Made Public:
February 10, 2010
Company: WellPoint, Anthem/Blue Cross and Blue Shield
Location: Chicago, Illinois
Type of breach:
INSD
Type of organization:
MED
Records Breached:
40

A former employee accessed health care professionals' Social Security numbers, names, dates of birth, and home addresses. Between 2007 and 2010, the employee created fictitious identities and created e-mail addresses, opened bank accounts and credit card accounts.

UPDATE (05/10/2010): The former employee was sentenced to 28 months in prison followed by three years of supervised release.  She was also ordered to pay $2,914.95 in restitution.  She pleaded guilty to one count of mail fraud and once count of aggravated identity theft on February 9.  Around 40 health care professionals such as doctors, psychologists, nurses, and dietitians were victims of fraudulent financial activity.

Information Source:
Databreaches.net
Date Made Public:
January 26, 2007
Company: WellPoint's Anthem Blue Cross Blue Shield
Location: Richmond, Virginia
Type of breach:
PORT
Type of organization:
MED
Records Breached:
50,000

Cassette tapes containing customer information were stolen from a lock box held by one of its vendors. Data included names and SSNs.

Information Source:
Dataloss DB
Date Made Public:
December 12, 2006
Company: Aetna, Nationwide, WellPoint Group Health Plans, Humana Medicare, Mutual of Omaha Insurance Company, Anthem Blue Cross Blue Shield via Concentra Preferred Systems
Location: Dayton, Ohio
Type of breach:
PORT
Type of organization:
MED
Records Breached:
396,279

A lockbox holding personal information of health insurance customers was stolen Oct. 26. Thieves broke into an office building occupied by insurance company vendor, Concentra Preferred Systems. The lockbox contained computer backup tapes of medical claim data for Aetna and other Concentra health plan clients. Exposed data includes member names, hospital codes, and either SSNs or Aetna member ID numbers. SSNs of 750 medical professionals were also exposed. Officials downplay the risk by stating that the tapes cannot be used on a standard PC.

UPDATE (12/23/06): The lockbox also contained tapes with personal information of 42,000 NY employees insured by Group Health Insurance Inc.)

UPDATE(1/24/07): Personal data of 28,279 Nationwide's Ohio customers were also compromised.  2/11/10 Total changes to 396,279 to reflect final total of records breached in all of the affected companies.

Information Source:
Dataloss DB
CSV