Data Breach in October 2009 Caused by Third Party Vendor States Anthem Blue Cross on June 25, 2010
This story gets curiouser and curiouser. According to Anthem the breach actually was created in October of 2009 by an as yet unnamed "third parth vendor". We may have to wait for the Wall of Shame posting to find out who they are, but what will be even more interesting is why nearly nine months has gone by without a peep from Anthem.
Then of course the class action lawsuit rears it's ugly head. Apparently a patient discovered the breach of her data. First question is did she report this to Anthem and if so what did Anthem do about it? I would guess that if they knew they did not do enough since she hired an attorney. Next we hear that the attorney accesses the site and downloads patient records. Did they only download her records or were other records downloaded? Did they meet any other data miners while they were looking around? Enquiring minds want to know. Not until the attorney files a class action lawsuit does Anthem become aware that they have a hole in their ship, a gaping hole.
I now know two people who have gotten the letters from Anthem, one of whom is in the privacy and security business. It will be interesting to see what they plan to do about the class action suit.
I hope this is the wake up call that covered entities need to get serious about managing their business associates.
Subscribe via RSSCategories
- HIPAA HITECH Act
- HIPAA Covered Entity
- HIPAA Business Associates
- Health Information Privacy
- HIPAA Compliance Online Software
- HIPAA Compliant Checklist
Recent Blog Posts
- Business Associates Need HIPAA HITECH Compliant Policies and Procedures, Now/1
- Minnesota Attorney General Sues Business Associate for HIPAA HITECH Data Breach
- HIPAA HITECH Data Breach Costs Small Business Associate $300,000
- HIPAA HITECH Rules De Facto Standard?
- HIPAA HITECH Data Breach: $1000 Per Patient?
- Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule
- more from the blog
Reader Comments
5 comments
Data Breach
From: Anne, 05/01/11 10:22 AM
There seems to be a trend of coverups across the nation with various vendors. I see no reason why any vendor needs your home address in order to accept a credit card. A quick look at your I.D. should verify who you are. I have noticed that many hotels in the midwest and on the east coast are now requiring more information than is needed for any credit card transaction. I have been asked for name, address, last four digits of ss#, a copy of my drivers license and at some places they have required a copy of social security card with the excuse that they are trying to avoid identity theft. If schools can scan your drivers license to verify your identity without asking for a blood sample, stool sample and a hair sample then it seems to me that a simple swipe of a drivers license with the majority of your personal information concealed to the sometimes unscrupulous employees working at some of these places, then most vendors should be able to do the same thing as the schools do. In Texas it is required that you swipe your drivers license in some schools in order to pick up your kids early or to visit them in the lunch room or just to even walk the halls during a dance, play or other event. Why would you give these complete strangers access to your customer information? How responsible is that of the owner/vendors? Why are they hiding the identities of the owner/vendors from the customers when the breaches occur?Data Breach
From: Anne, 05/01/11 10:22 AM
There seems to be a trend of coverups across the nation with various vendors. I see no reason why any vendor needs your home address in order to accept a credit card. A quick look at your I.D. should verify who you are. I have noticed that many hotels in the midwest and on the east coast are now requiring more information than is needed for any credit card transaction. I have been asked for name, address, last four digits of ss#, a copy of my drivers license and at some places they have required a copy of social security card with the excuse that they are trying to avoid identity theft. If schools can scan your drivers license to verify your identity without asking for a blood sample, stool sample and a hair sample then it seems to me that a simple swipe of a drivers license with the majority of your personal information concealed to the sometimes unscrupulous employees working at some of these places, then most vendors should be able to do the same thing as the schools do. In Texas it is required that you swipe your drivers license in some schools in order to pick up your kids early or to visit them in the lunch room or just to even walk the halls during a dance, play or other event. Why would you give these complete strangers access to your customer information? How responsible is that of the owner/vendors? Why are they hiding the identities of the owner/vendors from the customers when the breaches occur?Anthem caused identity theft/credit card fraud
From: Megan, 08/05/10 10:31 PM
Three days ago, my credit card number was used fraudulently. Today I received a letter from Anthem telling me a breach had occured, leaking my social security number, name & credit card number. I have not been a customer with Anthem for over a year (since February 2009, I believe). When I called Anthem to ask about this, I was told this leak had occured a year ago. When I asked why I was not informed a year ago, when the leak occured, I was told they did not find out about until just now. When I asked why Anthem had my private information still stored in their database when I have not been an Anthem customer for over a year - I was told they had no way of knowing why my private information was still being kept (mind you - without my knowledge or permission) in their database. I was given a head quater number to call. I am reporting this to my State Attorney General & I am seriously considering suing for this identity theft incident. My information is compromised. I am following the appropriate steps to take care of the identity theft/fraud. However, Anthem's idea that a free year worth of identity theft protection is a joke. My information has already been compromised and used inappropriately! The theif could use my information years from now! I am not well off. This could be a timely & expensive situation to deal with. Where are the laws to protect our information? Where are the agencies to insure that old or outdated information (not being used) is being deleted, as it ought to be? Where is the consumer protection? This is ridiculous!Whole families are compromised
From: m smilth, 07/03/10 07:17 PM
The data I submitted in my application included not only my whole name, birthdate and social security number but includes that of my husband and children!! My entire family is at risk now....forever.PCI Data Security Standard compliance test
From: Colin Slaughter, 06/29/10 02:50 PM
Anthem Blue Cross (Anthem) recently sent me a letter to inform me of a security breach. The letter did not contain any contact information for Anthem other than a P.O. Box at the top of the letter. The address was in such a small font that it couldn’t have been larger than a 4 point size. Even the enclosed Debix terms and conditions font size was larger. The letter did contain a phone number, but like I stated it was not even a number to Anthem, even though the recording identifies it as the “Anthem Blue Cross Assistants Line”. Instead it was to Debix which I verified by pressing the option that allowed me to speak to someone. The phone number also provide a recording that was a bold face lie to the persons affected by the “incident”(As Anthem referred to the security breach as). I do not think that Anthem was expecting someone to know about web security and think about what the recording had said. The recording stated some things that stood out to me. 1. A data breach occurred. 2. A 3rd party security company had performed security test. 3. Anthem had just finished upgrading the system. 4. The information was stolen by a user changing the URL, thereby allowing other peoples Anthem applications to be accessed. It simply makes no sense what-so-ever that a 3rd party security company performed a security test and missed the most basic of security flaws. This leads me to believe that Anthem’s system must contain many other serious security flaws. The fact that Anthem’s web based system even allowed access to applicants information submitted to them on paper is a huge concern and shows Anthem’s actions were negligent because Anthem failed to take reasonable security measures to ensure the protection of its members and applicants sensitive personal information. I can only hope that all my medical records and billing information are not stored in a similar or same web accessible system, or that digital copies of my information were not duplicated and passed to other parties or sold on the black market. If so then this data breach can cause me headaches and stress the rest of my life. The simple fact that no one can ever prove that my personal information was not passed on or sold is causing me a great deal of stress. My social security number, date of birth, home address, work, medical history and other sensitive, private information may possibly circulate on the black market for ever. The most astonishing problem is that a simple low cost test used by many companies to find potential security flaws could have been used to prevent this exact type of security breach. The test is known as a PCI Data Security Standard compliance test. Any online company accepting credit cards is required by Visa and Master Card to pass a PCI Data Security Standard compliance test in order to accept or process credit cards online. I know the test would have caught this type of security flaw because it once caught this exact same flaw on my company’s website and it was easily fixed. Therefore I believe that Anthem’s claim on their recorded statement that a 3rd party security company had inspected the web based system and it had passed all security test is a bold face lie, or at least proves that Anthem has sever security problems. A full security audit should be performed by a reputable, outside, independent security company and Anthem should be barred from practicing business until the audit is completed and Anthem’s security practices are found to meet or exceed security practices for its industry. I find it reasonable to think that a company such as Anthem, knowing that the data in its systems is far more critical than credit card information, would have at the very least, taken the same security precautions as a credit card company to protect its members and applicants personal information. However it is very apparent that it did not, and this fact can also be easily confirmed by a multitude of online security companies. Anthem Blue Cross should of at the very least encrypted all sensitive information. I do believe that Anthem’s neglect to take reasonable security measures to verify that the simplest of hacks would not work makes Anthem’s actions irresponsible, punishable, and bordering on criminal. Anthem Blue Cross’s gesture of one year of credit fraud monitoring service paid by them is an insult. It should be for life due to the fact that my personal information may be on the black market for the rest of my life or even longer. Fifty years from now the “incident” could lead to problems affecting my life, though no fault of my own. Who is to say that this was the only incident or the only person to perform this kind of action? Can Anthem prove that this “incident” was an isolated incident?