Last night, bobstandard reported a major security breach at Anthem Blue Cross. He suggested it may have been because Anthem's security was so lax a first-time script kiddie could get in. Well, it turns out the fail was bigger than that. Much bigger.
In a written statement, Anthem Blue Cross explained how the breach occurred:
"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."
How long did this last? Five months, according to KABC-TV.
Incredible. How in the world could someone at a major health insurance provider not have noticed this security flaw for that long?
According to the Orange County Register, an LA resident found out that her application for coverage was available on the Web, and immediately filed a class-action lawsuit. When her attorneys tried to get evidence for the suit, they downloaded some confidential patient information, but have since relinquished it.
So let's see if we're understanding this right. If you applied for coverage with Anthem, everything an identity thief could want--your address, Social Security number, credit cards--was available for public view for five months, and nobody noticed. If someone really high up isn't thrown out on their ear for this, there's something fundamentally wrong. At this point, the only question is how big the settlement will be.
Update: I initially thought that Anthem could be facing charges for criminal violations of HIPAA, but EAColeinEmporia, an IT tech who works with HIPAA modifications, mentions that Anthem likely won't face criminal charges. Instead, they'll have to self-report this to HHS, and will likely have to pay a whopping fine. HIPAA fines accrue per individual and per incident, and considering Anthem is one of the biggest providers in the nation (and the biggest insurer in California), it could be looking at a fine in the eight-figure range.