FierceHealthcare FierceHealthIT FierceMobileHealthcare FierceHealthPayer
FierceHealthFinance FierceEMR FiercePracticeManagemtn Hospital Impact

Connecticut AG investigates WellPoint data breach, fines Health Net $250K

Health insurers have been under fire in recent months for a spate of data breaches, and now Connecticut Attorney General (AG) Richard Blumenthal is investigating Indianapolis-based WellPoint Inc. for potentially compromising the financial and health information of 470,000 people across the country (including 5,600 Connecticut residents), reports Bloomberg Businessweek. This latest breach marks WellPoint's third--and largest--in three-and-a-half years, reports the Indianapolis Star.

Blumenthal has written WellPoint to request specific information on what caused the breach, how affected people are being protected and how the company will prevent future breaches. "This information breach is only the latest in a disturbing series of cases where nonpublic personal information has been subjected to unauthorized access," Blumenthal said. "In this era of increasing reliance on technology, it is vitally important that companies entrusted with nonpublic personal information employ the highest levels of security." Among other concerns, Blumenthal wants WellPoint to offer compromised consumers two years of credit monitoring services and $25,000 of identity-theft protection. (The company has provided one-year's worth of protection services.)

The breach was related to the online individual health insurance application process in 10 states: Connecticut, California, Colorado, Indiana, Kentucky, Missouri, Nevada, New Hampshire, Ohio and Wisconsin. Last October, an upgrade to the application process made by an outside firm resulted in a glitch that allowed unauthorized access of people's confidential applications. WellPoint found out about the problem in March when a California woman filed suit. "Within 12 hours of discovering the issue, we corrected it," WellPoint spokeswoman Cindy Sanders told Bloomberg.

In addition, the applications of fewer than 1,000 people have definitely been accessed. WellPoint officials believe that the majority of the instances of unauthorized access were made by the attorneys for the woman who filed suit, reports the Atlanta Journal-Constitution.

Earlier in June, Gainesville, Fla.-based AvMed Health Plans revealed that personal information for 1.2 million members and former members was on two laptops stolen from its headquarters, reports the Miami Herald. And in a far more mundane breach, the personal information for about 4,900 people was temporarily put at risk because Hartford, Conn.-based Aetna Inc. failed to clean out an old file cabinet before disposing of it. The paper files have been returned to Aetna, but the company is offering free credit monitoring to the affected people.

UPDATE: Connecticut AG Blumenthal has settled the state's lawsuit against Health Net of the Northeast Inc. regarding a computer hard drive that went missing last year, compromising the personal data of 1.5 million people, including 446,000 Connecticut residents, reports the Hartford Courant. Health Net of the Northeast will pay $250,000 in fines, as well as implementing a corrective action plan that includes continuing to provide identity theft protection plus improving systems controls, management and oversight structures, and employee training and awareness. If it turns out the data on the missing drive was used for illegal purposes, Health Net would pay an additional $500,000 to the state. In addition to Health Net of the Northeast, the settlement involves Health Net of Connecticut Inc. and parent companies UnitedHealth Group Inc. and Oxford Health Plans.

To learn more:
- read this Bloomberg Businessweek article
- read these Hartford Courant articles: article 1 or article 2
- take a look at these Indianapolis Star reports: report 1 and report 2
- read this Atlanta Journal-Constitution report
- read this Miami Herald article
- read this Aetna press release

Related Articles:
Health Net data breach brings first HITECH state enforcement action

OCR sets rules for sharing HIPAA breach information
Data breaches: Another opportunity for bad publicity

SHARE WITH:
Email Twitter Facebook LinkedIn StumbleUpon
Get Your FREE FierceHealthPayer Email Newsletter:
Comments (1) | Post a comment

Comments

This is a GREAT article despite the dismay of breaches. In David Scott’s words, everyone needs to be a mini-Security Officer today. I think Mr. Scott, the author, is right: Most individuals and organizations enjoy so-called “Security” largely as a matter of luck. For some free insight check out the blog, “The Business-Technology Weave” – you can Google to it, or search on the site IT Knowledge Exchange which hosts it. Anyone else here reading I.T. WARS? It too reflects much of what is said here. I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). “In the realm of risk, unmanaged possibilities become probabilities.” Keep “security” front and center! Great stuff.

Post new comment

The content of this field is kept private and will not be shown publicly.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.