The Register says that that "only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their applications."
A spokesperson for Anthem told the paper that the information was accessed by lawyers looking for information in a class action lawsuit against Anthem. Others may have also accessed the information as well.
According to this AP story, a faulty website upgrade occurred in October 2009, and it was discovered only this spring when Anthem found out that the lawyers had accessed the information.
The Orange County Register published a letter by Anthem giving more details of problem:
"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."
Anthem apologized and said it was going to offer a year of identity protection service for free to those customers potentially affected. It also said the lawyers promised not to use the information they had obtained.
What I find interesting is that there is no FBI investigation - at least not yet - of the lawyers' activities in accessing the information like in the AT&T iPad website data breach, or any outcry that that the lawyers should have immediately notified Anthem about the website security flaw instead of exploiting it.
A double standard at work here?