A routine web site upgrade at Anthem Blue Cross-Blue Shield recently put the personal information of close to half a million customers at risk of being stolen for months.
A glitch in the coding for a new web site from Anthem Blue Cross-Blue Shield left sensitive identity information for up to 470,000 nationwide customers open to anyone who knew where to look for it, according to a report from television station KDVR in Denver. More troubling for customers is the fact that the information was available for around five months.
One identity theft expert told the station that insurance companies are the most vulnerable target for identity thieves because everything they would need to steal an identity, or create a new one, is "readily available on the first page of an insurance application." He also warned that if the security breach led to customers' social security numbers being exposed, they are at risk of being a victim of identity theft forever.
The station said that to make sure its customers' identities are secure, Anthem will offer one year of identity protection for free. One company spokeswoman told the station that though the company is investigating just how many people had access to its customers' personal information, it has found enough in its investigations to believe the risk is minimal. The company has sent all customers that could have been affected by the breach a warning letter saying their personal records may have been at risk.
A report from consumer identity protection news website eSecurity Planet reported that Anthem believes the web site problem arose when it outsourced the revamping of its website to a third-party vendor in October. The mix-up led to hundreds of thousands of pending applications being exposed. Those applications included about 230,000 people's medical records and Social Security numbers.
The report also said that Anthem wasn't even aware of the problem until attorneys filed a class-action lawsuit on behalf of some of the affected members, and that a later internal investigation found that one victim and his or her attorney were able to access the supposedly secure data several times. Anthem officials have said that they have no idea how many times the information was accessed during the five-month period, and have no way of finding out, either.