Anthem Blue Cross notifies 470,000 patients of breach
Through this manipulation, some of these individuals gained unauthorized access to certain private information, according to a media statement from Anthem Blue Cross. "It did not impact anyone who has insurance under their employer, has a senior product or state-sponsored products. Out of abundance of caution, we are notifying everyone who had information on the web portal when the URL address was able to be manipulated," the payor said.
The majority of such manipulation and the resulting unauthorized access occurred at the hands of certain attorneys representing an applicant, according to the insurer believing the manipulation was conducted to support a class action against Anthem Blue Cross and/or its parent company.
“The ability to manipulate the web address was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not,” Blue Cross said. “As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again.”
Anthem Blue Cross has since requested by letter and in-court filings that the attorneys return all information improperly obtained from the individual application system. “All information acquired by the attorneys has been transferred to the court’s custodian and beyond that, we have received no indication that any other information accessed has been used inappropriately,” Anthem Blue Cross stated.
Blue Cross has been working with the data to identify all individuals whose information may have been impacted and preparing to communicate directly to affected members and applicants as soon as possible.
All appropriate applicants will receive a detailed notification from Anthem Blue Cross explaining what happened, and will be offered identity protection services for one year at no cost, according to the organization.
“We are currently weighing our legal options with respect to the data, the impact--if any--on our members, and the remediation costs incurred as a result of these actions,” the statement concluded.