By Daniel Weintraub
Anthem Blue Cross has notified 230,000 California customers that personal data they submitted to the insurance company via the Internet may have been improperly viewed by others.
The data breach occurred when the firm was upgrading the software that customers use to track their online applications for insurance coverage.
A vendor working on the site told the company after completing the work that the security safeguards were back in place, but they firm later learned that that was not he case, according to Cindy Sanders, a spokeswoman for Anthem.
“There was an ability for a short time for someone to manipulate the URL in the tracking system and see information for other people who were applying for insurance,” Sanders said.
In some cases only the applicant’s name would have been visible. In others, their Social Security number might have been compromised. And in a few cases, she said, entire applications might have been accessed improperly.
Sanders said the company does not know how many files were viewed and by whom, but she said the firm is offering credit monitoring service for free for one year to everyone who had an active application on the site at the time of the breach.
She said Anthem has notified the California Department of Insurance, the Department of Managed Health Care, and the Health and Human Services Agency about the incident.
Sanders said investigators working with the company have determined that the URL was manipulated by fewer than ten computers, and in some cases those might have been brokers who have a business relationship with Anthem and would have been allowed to see the information while working with customers.
“We’re actively trying to determine who those addresses belong to, and if their access was appropriate,” she said.
She said the firm has been able to identify a law firm that viewed some of the files. Sanders said Anthem believes the files were accessed as part of an effort by that law firm to build a case for a class-action lawsuit against Anthem over the security breach. All data gathered by the firm has been turned over to a court custodian, she said.