Wellpoint security glitch exposes applicant data

Tue Jun 29, 2010 3:24pm EDT

* WellPoint warns 470,000 applicants of the glitch

* Medical records, Social Security numbers exposed

BOSTON, June 29 (Reuters) - WellPoint Inc (WLP.N) has warned some 470,000 people who applied for its health insurance that a website security glitch may have exposed their Social Security numbers and other sensitive data to the public.

The top U.S. health insurer by membership learned of the problem in March when an applicant sued the company, saying she was able to obtain information in other people's applications for health insurance by manipulating URLs to a site that tracks membership applications, said WellPoint spokeswoman Cindy Sanders.

WellPoint quickly fixed the glitch, which was introduced in October by a contractor who upgraded the site, according to Sanders.

The company believes that the security glitch was exploited to access information on 940 insurance applications. Separately, unauthorized viewers accessed spreadsheets that "in rare cases" contained Social Security numbers, Sanders said.

WellPoint is doing forensic work to identify the applicants whose data was compromised.

"At this time we don't know exactly whose information was accessed," she said.

In the meantime, WellPoint has offered one year of identity-theft protection services to all 470,000 applicants.

Sanders declined to say how much it would cost WellPoint to provide those services and pay for other expenses related to the security breach.

It affected applicants for individual health insurance policies under the age of 65, she said. WellPoint members who obtain their insurance through their employer were not affected.

The insurer does business in 14 U.S. states including California, Colorado, Indiana, Ohio, Nevada and Wisconsin.

Its shares were down 2.2 percent at $49.69 on the New York Stock Exchange on Tuesday afternoon. That was a narrower decline than the 3.4 percent drop in the S&P 500 Index. .SPX (Reporting by Jim Finkle, editing by Matthew Lewis)

Stocks
Markets
Financials

Related Quotes and News

Company
Price
Related News
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (1)
janice33rpm wrote:
This is a GREAT article despite the dismay of the breach. In David Scott’s words, everyone needs to be a mini-Security Officer today. I think Mr. Scott, the author, is right: Most individuals and organizations enjoy Security largely as a matter of luck. For some free insight (and free is good!), check out his blog, “The Business-Technology Weave” – you can Google to it, or search on the site IT Knowledge Exchange which hosts it. Anyone else here reading I.T. WARS? It reflects much of what is said here. I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). “In the realm of risk, unmanaged possibilities become probabilities.” Keep “security” front and center! Great stuff.

Jun 29, 2010 6:56pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.
See All Comments »