Medical insurer warns 70,000 Georgians of security breach

By Craig Schneider

The Atlanta Journal-Constitution

The state's largest health insurance company has warned 70,000 Georgians that their personal medical information, Social Security numbers and credit card data may have been wrongly accessed because of a Web site security breach.

The security problem at Blue Cross and Blue Shield of Georgia is part of an even larger Web site breach of its parent company, WellPoint, which this month sent warning letters to 470,000 people across the country.

Information was exposed for five months, said company spokeswoman Cindy Sanders. It affected applicants under the age of 65 who were applying for individual policies.

She said the problem occurred following a faulty Web site upgrade in October.

"We used a third-party vendor. They told us all security measures were in place," Sanders said. "They weren't."

A small number of site users were able to access private information after manipulating the Web address that people applying for insurance use to track the status of their application, she said. The company learned of the access opening when an attorney for one of those users filed a class action lawsuit regarding the breach against the insurer in March.

Company officials believe most of the unauthorized access was accomplished by the attorneys for the user. But the company's investigation has yet to identify 10 computer addresses that accessed information. Sanders said some of that access could have been done by those with authorization, such as insurance brokers seeking client information.

She said the company fixed the security opening within 12 hours of learning about it and has no indication that any information was used inappropriately. The letters explain to the applicants what happened, warn them about potential identity theft and offer them identity protection services for a year.

Georgia Insurance Commissioner John Oxendine said through a spokesman Tuesday that he is concerned that the company took months to notify the applicants and his office. If the state insurance agency determines the delay was unwarranted, it could fine the company, spokesman Glenn Allen said. Otherwise, the state agency is satisfied with the insurer's plan to correct the problem, he said.

Company spokeswoman Sanders said the insurer was trying to determine exactly who was affected by the breach, and when it couldn't confirm whose information was accessed, decided to notify a wide group.

Two years ago, Blue Cross and Blue Shield of Georgia erred in sending an estimated 202,000 benefits letters containing personal and health information to the wrong addresses.