Indianapolis-based WellPoint Inc. has notified 470,000 individual insurance customers about a security breach that may have exposed medical records, credit card numbers and other sensitive information.
The company said the problem stemmed from an online program customers can use to track the progress of their application. It was fixed in March.
WellPoint is the largest commercial health insurer based on membership, with nearly 34 million members. It runs Blue Cross Blue Shield plans in 14 states and Unicare plans in several others.
Spokeswoman Cynthia Sanders said the insurer notified customers in most of its states. That includes about 230,000 customers of its Anthem Blue Cross subsidiary in California.
The possible breach affected only individual insurance customers and not group coverage or people who buy Medicare Advantage insurance.
Sanders said an outside vendor had upgraded the insurer's application tracker last October and said all security measures were back in place after the work was finished. But a California customer found she could call up confidential information of other customers by manipulating Web addresses used in the program. Customers use a website and password to track their applications.
WellPoint learned about the problem when the customer filed a lawsuit about it against the company in March.
"Within 12 hours of knowing the problem existed, we fixed it," said Sanders, who declined to identify the outside vendor.
Sanders said the company believes a "vast majority" of the unauthorized access of customer information came from the plaintiff and her attorneys.
The insurer notified all individual insurance customers who had information in its application tracking program from October through March. It will provide a year of free credit monitoring.