As the world of health care data revolves, this is an interesting case with attorneys being the culprits looking for information, so the folks on the other side are in fact getting smarter technology.   Normally the cases we see involve loss of hardware, like a USB drive or a notebook, etc.  This was different in the fact that after the system upgrade all security evidently was NOT in place and working correctly. image

According to the article here, anyone who had a current application in process was a potential victim.  Now this opens the door for lawsuits to be filed for those who’s records were exposed.  Again, I don’t know how long the current business models can be sustained at this rate as if it has happened once, well it can and probably will happen again.  Use of private information out in the world of technology is causing a real stir for access and the information means money.

For the consumer applying for health insurance here it means a year’s worth of free credit reporting.  I wonder how much the attorney’s actually were able to see and obviously it appears this was not done to perhaps steal identities, but rather to obtain information used for future lawsuits.  The legal profession is also a good example of an industry who invests heavily in technology too and the article states the information was returned, but after being reviewed and evaluated, it’s still out there if duplicated and I might guess there’s a real good possibility of this occurring for strategic use with future lawsuits.  BD 

More than 200,000 Anthem Blue Cross customers this week received letters informing them that their personal information might have been accessed during a security breach of the company's website.

Only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their applications.

Anthem spokeswoman Cynthia Sanders said the confidential information was briefly accessed, primarily by attorneys seeking information for a class action lawsuit against the insurer.

Newport Beach attorney Mark Robinson filed a class action lawsuit on behalf of a Los Angeles County resident who discovered that her application for insurance was available for public view.

"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."

The company is offering a free year of identity protection service. Anthem also said the attorneys have returned all improperly obtained information to a custodian of the court system.

Personal data accessed on insurer Web site | information, security, anthem - Life - The Orange County Register

9 comments :

  1. Who are the attorneys? They are the thieves. I was one of the victims. I want them prosecuted

    ReplyDelete
  2. I agree with anonymous. Are any charges being brought against the lawyers that 'stole/hacked' the personal info.?

    ReplyDelete
  3. We have a number of problems here with this security breach. First of all the software upgrade done by Blue Cross made the files available so problem #1 in not ensuring security was in place after update.

    Electronic Medical record vendors spend 25-30k to get a stamp of approval to ensure that they have the right security to protect our records from use in the doctor/hospital offices - yet with health insurers, nobody gets certified nor are there any certification processes for this, thus I say they need to go through certification #1 so this does not happen and good practices for certification need to be set up as why should one end of technology pay to ensure their software works securely and properly and yet the other side does not.

    All we get from insurers is "whoops" and free credit rating and as this continues will everybody need free credit protection in time?

    Second issue, yes the attorneys snarfing up what was out there and a good practice would have been to alert Blue Cross instead of feeding like vultures, I agree. It's like finding a wallet with a bunch of cash and keeping it, or being honest and turning in the stolen wallet with all contents:)

    Again, first off Blue Cross has the responsibility of securing patient data so it is not out there floating around for anyone to find and secondly a little responsibility on doing the right thing is second here. If problem #1 had been addressed properly, we would not have had problem #2, and both are at fault, even though the attorneys were looking for information to help consumers file a class action case against Blue Cross which could even up being a benefit, can't really say on that as I am not on the inside here with any information.

    Again, I go back to the root of the problem that allowed this to happen, insurance company software use should be certified so we know what processes are put in place so we don't end up with security breaches that resemble a BP oil spill with everything just gushing out there. The same principle apply here in being prepared for disaster, whether it is a ecological one or a data disaster, same ideas for handling should be in place where we don't have to rely on "band aids" to fix.

    ReplyDelete
  4. - I don't agree with your analogy of 'finding' a wallet. It was a matter of a pick-pocket stealing the wallet. There is no excuse for the lawyers' illegal acts and they should be prosecuted. Getting into any private system takes some overt effort. Anthem did not 'send' the info out to the lawyers.
    - The lawyers should be prosecuted for federal violations across state lines of at least identity theft, theft of personal information and conspiracy in committing the acts.
    - Also, the lawyers should be sued for twice the insurance policy premium costs for the most expensive policies for pre-existing conditions or the 'HIPA' policy criteria, for each victim and their spouses/partners, for the number of years from when the number of years from now until each victim is eligible for insurance when then information is no longer used, eg. until Medicare age.

    Anonymous2

    ReplyDelete
  5. Ok, I'll add a little more here, the attorneys are the "known" individuals who were found; however, there could have very well been more, so again it comes back around to Blue Cross and and some sloppy programming with the company they outsourced with to do their upgrade.

    That is the issue that started the entire situation and yes not glorifying the attorneys by any means, but again keep in mind if they were able to break in, so were others, thus the need for free credit reporting services to all of those affected.

    Here's another example where a Blue Cross office gave away a filing cabinet full of member information too.

    http://ducknetweb.blogspot.com/2010/04/blue-cross-blue-shield-gives-away-file.html

    Here's one more involving Blue Cross security breaches in TN, so you can see this is a big problem that needs to go beyond the attorneys to fix as we as consumers are the big losers.

    http://ducknetweb.blogspot.com/2010/01/blue-crossblueshield-data-theft-in.html

    ReplyDelete
  6. To answer your question the firm was Robinson, Calcagnie& Robinson inc.
    620 Newport Center Drive
    7th Floor
    Newport Beach, Ca. 92660
    (949)720-1292

    NOW MY QUESTION IS: Who was the name of their client and did he/she have an active hand in the breach. Also, what was the name of the third party vender

    ReplyDelete
  7. This part is NOT true: "Only customers who had pending insurance applications in the system are being contacted." I did not have an application pending, yet I received the letter. So this begs the questions; WHEN was this breach first discovered, and why wasn't it reported by the first person who discovered it -- instead of the person holding onto this information for h/her own financial gains??

    ReplyDelete
  8. In reference to the last comment, you are right as the situation has grown since it was first published. This is a big issue and I have posted many times that the data systems/software use by insurance companies should be certified, just as we do for electronic medical record systems.

    The vendors who sell and pay money to be certified seem to be doing a pretty good job by comparison in protecting medical record information and it is rather the insurance companies who are dropping data all over the place. The link below is one good example.

    http://ducknetweb.blogspot.com/2010/06/rules-on-ehr-certification-should-take.html

    I try to also advise consumers to read up and know what the subsidiaries of insurance companies are doing as they all lead to bottom line profits. You may find they have investments in areas that will surprise you and work in mysterious ways for profits.

    http://ducknetweb.blogspot.com/2010/06/consumer-watchdog-warns-sebelius-on.html

    I hope this adds a bit of helpful content here in looking at the entire picture of what is going on, a lot in the background that consumers may not be aware of.

    ReplyDelete
  9. Just as an update. I too received that letter last year. Now my business checking has a fraudulent check. The only thing I used that checking account for is Paying monthly employment taxes, 1 business credit card(which is safe), and my anthem blue cross payment. It makes me wonder if that is where they got my info. Here is a link to what I believe is the other side of the story http://www.ripoffreport.com/directory/bbu-interservices.aspx .

    ReplyDelete

 
Top