Personal information that may have included Social Security numbers and pharmacy or medical data for about 128,000 WellPoint Inc. customers in several states was exposed online over the past year, the health insurer said Tuesday.
WellPoint, which has had other data security issues in the past, recently learned about the problem, fixed it and is notifying customers, spokeswoman Shannon Troughton said. The nation's largest health insurer by membership is offering free credit-monitoring services for those customers, but has received no reports of identity theft or credit fraud.
The latest security lapse stems from two servers maintained by an outside vendor that Troughton declined to identify. The vendor specializes in data management.
WellPoint had learned early last year that a server was improperly secured, and that information on about 1,350 customers may have been exposed online and was vulnerable to Internet search engines. The insurer fixed that breach quickly, Troughton said.
But the company recently learned that a second server had problems which exposed information for more than 128,000 customers to Internet access for about a year. That data had some code protection and couldn't be found by people using search engines.
That problem has been corrected, Troughton said, and the company is working with experts to improve its security. It is still using the same vendor.
"We're constantly working to fortify and bolster our security," she said.
WellPoint ran into security problems in October 2006, when someone stole back-up computer tapes containing the personal information of nearly 200,000 members from the office of a Massachusetts vendor.
Last year, a compact disc containing unprotected personal data for 75,000 customers went missing while it was being shipped between vendors working for WellPoint subsidiary Empire Blue Cross Blue Shield. The disc was recovered.
Such problems aren't limited to WellPoint. More than 225 million records for U.S. residents have been exposed due to security problems since 2005, according to the nonprofit Privacy Rights Clearinghouse.
A National Institutes of Health laptop computer containing medical information on 3,000 patients was stolen in late February.
Still, a security breach involving nearly 130,000 customers raises significant concerns, said Paul Stephens, the director of policy and advocacy at Privacy Rights.
"Health information is among the most personal sort of information," he said.
U.S. representatives Edward Markey of Massachusetts and Rahm Emanuel of Illinois, both Democrats, have introduced a bill in Congress that would establish health information privacy and security standards.
"We would say there should be a strong federal law that would ensure that there are minimum standards built into these systems when it comes to privacy security and confidentiality," said Mark Bayer, Markey's deputy chief of staff.