The Register says that that "only customers who had pending insurance applications in the system are being contacted because information was viewed through an on-line tool that allows users to track the status of their applications."
A spokesperson for Anthem told the paper that the information was accessed by lawyers looking for information in a class action lawsuit against Anthem. Others may have also accessed the information as well.
According to this AP story, a faulty website upgrade occurred in October 2009, and it was discovered only this spring when Anthem found out that the lawyers had accessed the information.
The Orange County Register published a letter by Anthem giving more details of problem:
"The ability to manipulate the web address (URL) was available for a relatively short period of time following an upgrade to the system. After the upgrade was completed, a third party vendor validated that all security measures were in place, when in fact they were not. As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."
Anthem apologized and said it was going to offer a year of identity protection service for free to those customers potentially affected. It also said the lawyers promised not to use the information they had obtained.
What I find interesting is that there is no FBI investigation - at least not yet - of the lawyers' activities in accessing the information like in the AT&T iPad website data breach, or any outcry that that the lawyers should have immediately notified Anthem about the website security flaw instead of exploiting it.
A double standard at work here?
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.