WellPoint has notified close to 130,000 insurance plan members that their personal information, including Social Security numbers, pharmacy or medical data, was accessible online to unauthorized users over the past year. With 35 million members, WellPoint is the largest membership insurer in the United States.
According to Health Data Management (HDM), the Indianapolis-based insurer said it has not received reports of identity theft or credit fraud. WellPoint said it has notified approximately 128,000 members of the issue and has offered free credit-monitoring services for its members whose information was exposed.
The breach occurred in two phases and resulted from unsecured servers being used by an unidentified technology vendor partner.
The insurer has had other data security problems in the past. In early 2007, 1,350 members’ personal information was potentially accessible via the internet for an undisclosed period of time. Members were notified and offered one year of free credit-monitoring services at that time as well.
Information at risk included Social Security numbers, health plan identification numbers, prescriptions, and such claims data as demographic information and diagnosis and procedure codes. WellPoint said it hired a consultant to help identify and correct technical vulnerabilities and flaws in security policies.
This is the third health data security breach for WellPoint in the past 18 months. Stolen back-up computer tapes contained data on about 200,000 members, and a disc with information on 75,000 members was missing but later found, reported HDM.
However, such problems are not limited to WellPoint. More than 225 million records for U.S. residents have been exposed due to security problems since 2005, according to the nonprofit Privacy Rights Clearinghouse.
In February 2008, a National Institutes of Health laptop computer containing medical information on 3,000 patients was stolen. In April, WellCare Health Plans reported that the disclosure on the internet of data for close to 71,000 Medicaid members in Georgia was due to human error. An employee who was transferring Medicaid members' information to the state's internet portal had removed security protections, making confidential data available.