WellPoint said Tuesday that the personal information of about 128,000 members was exposed online over the past year, AP/BusinessWeek reports. The exposed information might have included Social Security numbers, as well as pharmacy and medical data.
WellPoint is the largest U.S. health insurer by membership (Murphy, AP/BusinessWeek, 4/8).
The data breach stemmed from two Internet servers maintained by third-party vendors, according to WellPoint.
Cheryl Leamon, a WellPoint spokesperson, said that the problems have been fixed and that the company is notifying members. The company declined to identify which type of members were affected or which states they were located in (Krauskopf, Reuters, 4/9).
WellPoint said that it is offering free credit-monitoring services to affected customers but that there have been no reports of identity theft or credit fraud (AP/BusinessWeek, 4/8). The insurer said it is investigating the data breach internally, as well as with external consultants (Reuters, 4/9).
WellCare Data Breach
In related news, WellCare Health Plans said Tuesday that the personal information of some of its Georgia members was accidentally made available online, the Tampa Tribune reports.
WellCare spokesperson Amy Knapp said the data have been secured and removed from public view on the Internet. The company believes about 10,000 members' information was exposed but plans to notify about 70,000 of its 450,000 members in Georgia. Knapp said privacy experts believe about 53 member files were accessed online.
The personal information might have included birth dates, Social Security numbers and member identification numbers for Medicaid or PeachCare for Kids, Georgia's version of the State Children's Health Insurance Program. The insurer said the exposed information did not include credit card, debit or other personal financial information.
WellCare will offer one year of free credit monitoring for affected members. In addition, the company said it has hired a national technology company to assess its privacy controls (Tampa Tribune, 4/9).
On Wednesday, the Georgia Department of Community Health said it has notified federal and state agencies that it might take enforcement action (Hendrick, Atlanta Journal-Constitution, 4/9).
NIH Data Breach
Meanwhile, NIH officials said Wednesday that the Social Security numbers of more than 1,200 participants in an NIH study were stored on a stolen laptop containing their medical records, the Washington Post reports.
Initially, NIH officials told the 3,078 patients whose records were stored on the stolen laptop that the data, which were unencrypted in violation of federal policy, did not include any information that could put their identity or finances at risk.
However, a file containing the Social Security numbers for at least 1,281 of the study participants was found during an ongoing review of data backed up from the laptop before it was stolen.
NIH spokesperson John Burklow said Wednesday that letters are being sent to affected participants, notifying them of the risk and offering them free credit-monitoring services.
In addition, NIH is insuring each participant for up to $20,000 in losses from identity theft. The estimated cost to taxpayers for those services is $18,400 (Weiss/Nakashima, Washington Post, 4/10).