Connecticut AG investigates WellPoint data breach, fines Health Net $250K

Health insurers have been under fire in recent months for a spate of data breaches, and now Connecticut Attorney General (AG) Richard Blumenthal is investigating Indianapolis-based WellPoint Inc. for potentially compromising the financial and health information of 470,000 people across the country (including 5,600 Connecticut residents), reports Bloomberg Businessweek. This latest breach marks WellPoint's third--and largest--in three-and-a-half years, reports the Indianapolis Star.

Blumenthal has written WellPoint to request specific information on what caused the breach, how affected people are being protected and how the company will prevent future breaches. "This information breach is only the latest in a disturbing series of cases where nonpublic personal information has been subjected to unauthorized access," Blumenthal said. "In this era of increasing reliance on technology, it is vitally important that companies entrusted with nonpublic personal information employ the highest levels of security." Among other concerns, Blumenthal wants WellPoint to offer compromised consumers two years of credit monitoring services and $25,000 of identity-theft protection. (The company has provided one-year's worth of protection services.)

The breach was related to the online individual health insurance application process in 10 states: Connecticut, California, Colorado, Indiana, Kentucky, Missouri, Nevada, New Hampshire, Ohio and Wisconsin. Last October, an upgrade to the application process made by an outside firm resulted in a glitch that allowed unauthorized access of people's confidential applications. WellPoint found out about the problem in March when a California woman filed suit. "Within 12 hours of discovering the issue, we corrected it," WellPoint spokeswoman Cindy Sanders told Bloomberg.

In addition, the applications of fewer than 1,000 people have definitely been accessed. WellPoint officials believe that the majority of the instances of unauthorized access were made by the attorneys for the woman who filed suit, reports the Atlanta Journal-Constitution.

Earlier in June, Gainesville, Fla.-based AvMed Health Plans revealed that personal information for 1.2 million members and former members was on two laptops stolen from its headquarters, reports the Miami Herald. And in a far more mundane breach, the personal information for about 4,900 people was temporarily put at risk because Hartford, Conn.-based Aetna Inc. failed to clean out an old file cabinet before disposing of it. The paper files have been returned to Aetna, but the company is offering free credit monitoring to the affected people.

UPDATE: Connecticut AG Blumenthal has settled the state's lawsuit against Health Net of the Northeast Inc. regarding a computer hard drive that went missing last year, compromising the personal data of 1.5 million people, including 446,000 Connecticut residents, reports the Hartford Courant. Health Net of the Northeast will pay $250,000 in fines, as well as implementing a corrective action plan that includes continuing to provide identity theft protection plus improving systems controls, management and oversight structures, and employee training and awareness. If it turns out the data on the missing drive was used for illegal purposes, Health Net would pay an additional $500,000 to the state. In addition to Health Net of the Northeast, the settlement involves Health Net of Connecticut Inc. and parent companies UnitedHealth Group Inc. and Oxford Health Plans.

To learn more:
- read this Bloomberg Businessweek article
- read these Hartford Courant articles: article 1 or article 2
- take a look at these Indianapolis Star reports: report 1 and report 2
- read this Atlanta Journal-Constitution report
- read this Miami Herald article
- read this Aetna press release

Related Articles:
Health Net data breach brings first HITECH state enforcement action
OCR sets rules for sharing HIPAA breach information
Data breaches: Another opportunity for bad publicity