If You Discover A Privacy Data Breach, You Probably Shouldn't Wait Three Months To Tell Users

from the fined dept

Fri, Nov 5th 2010 3:28am — Mike Masnick

Insurance firm Wellpoint apparently left its medical records easily exposed on its servers from last October until March, exposing 470,000 users' medical records, credit card numbers and "other sensitive info." The company discovered the breach in February, but apparently waited until June to tell users. The company has now been fined $300,000 for not promptly notifying users, though that does seem like a rather low number considering how many records were apparently exposed...

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, privacy, reporting
Companies: wellpoint

22 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

IronM@sk, 5 Nov 2010 @ 4:02am

Punishment Fits The Crime?
A single mum is ordered to pay $1.5m for illegally downloading 24 songs yet this company gets basically a slap on the wrist for exposing pretty important data. Yeah.
[ link to this | view in chronology ]
- Berenerd (profile), 5 Nov 2010 @ 4:23am
  
  Re: Punishment Fits The Crime?
  Listen here bub...when you have the payroll like RIAA does of Federal Senators and lobbiests...you would get big bucks like them too...gawd...always picking on the hard working record company who only cares about it's artists...THINK OF THE DOLPHINS!
  
  /sarc
  [ link to this | view in chronology ]
  - Anonymous Coward, 5 Nov 2010 @ 8:07am
    
    Re: Re: Punishment Fits The Crime?
    Your forgot the CHILDREN... THINK OF THE CHILDREN
    [ link to this | view in chronology ]
- AJ, 5 Nov 2010 @ 4:24am
  
  Re: Punishment Fits The Crime?
  Does seem strange at first, but once you think about it, it makes perfect since.
  
  What the company did was an accident, they had no intention of harming thousands of people by not protecting their computer systems, I mean really... whats your SSN, credit card number, and medical history really worth these days? It's not like anyone can harm you with that data, and if they could, you would have to prove that in court... besides, it would probably cost a fortune to take that company to court, they may actually have some cash on hand and be able to defend themselves....
  
  On the other hand, that evil mum had to be tought a lesson, she was obviously attacking the music industry and causing it millions of dollars in damages by not paying for those 24 or so songs... there had to be an example set for all the other evil mums of the world..... and really, who cares about one mum?
  
  One song = $60,000
  One medical = record/credit card/ whatever = $634 +/-
  One mum = worthless......
  
  /sarc
  [ link to this | view in chronology ]
  - btrussell (profile), 5 Nov 2010 @ 5:09am
    
    Re: Re: Punishment Fits The Crime?
    One medical = record/credit card/ whatever = $0.64
    [ link to this | view in chronology ]
    - AJ, 5 Nov 2010 @ 6:30am
      
      Re: Re: Re: Punishment Fits The Crime?
      I forgot my decimal! Thanks for the correction.
      [ link to this | view in chronology ]
  - Stuart (profile), 5 Nov 2010 @ 7:02am
    
    Re: Re: Punishment Fits The Crime?
    Exposing the data was an accident. Hiding that fact for 3 months was not.
    [ link to this | view in chronology ]
  - Sean T Henry (profile), 5 Nov 2010 @ 8:29am
    
    Re: Re: Punishment Fits The Crime?
    Every one that has Wellpoint needs to go to http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html and submit a complaint for violation of HIPAA. I believe that the max award is $11,000 per person and that is what a doctors office would have brought against the if they gave away this info.
    [ link to this | view in chronology ]
marak (profile), 5 Nov 2010 @ 5:24am

You too for the low price of $1.56 can also give out anyones personal info. Call now special offer.

And if you order in the next 15 minutes, you can get a double cd - yes 24 songs - for the bargain price of $1.5M

Where can i sign up?
[ link to this | view in chronology ]
Pete Austin, 5 Nov 2010 @ 5:27am

Re: Punishment Fits The Crime?
Those 470,000 Americans who let their personal details get leaked by this company have only themselves to blame. They are not forced by law to get medical insura... Oh wait...
http://www.health.com/health/condition-article/0,,20359522,00.html
[ link to this | view in chronology ]
Wolfy, 5 Nov 2010 @ 5:59am

Regarding all the mouth-noise about the Gov't making you buy health insurance (the horror!)... all the rethuglicans were all up in arms. What you didn't hear (from the media or anyone else for that matter)was that party was the one pushing mandatory property insurance and mandatory car insurance. It seems they have problems with double standards.
[ link to this | view in chronology ]
- harbingerofdoom (profile), 5 Nov 2010 @ 7:28am
  
  Re:
  thank you for supplying my daily quota of political partisan derp!
  [ link to this | view in chronology ]
Anonymous Coward, 5 Nov 2010 @ 6:01am

It should have been a 3 million dollar fine. Exposing sensitive information to the web should have gotten someone locked up. In my book that's aiding and abetting criminals and smacks of conspiracy. Even the stupid administrators being pushed out of trade schools are taught better than that in security class.
[ link to this | view in chronology ]
Anonymous Coward, 5 Nov 2010 @ 6:35am

Re: AJ
You said "It's not like anyone can harm you with that data"

It sounds like you have never been the victim of identity theft. Wait until creditors start calling you because someone opened up a dozen long distance accounts in your name and they are all delinquent. Wait until a hospital refuses to give you care because someone claimed to be you and skipped on the bill. Wait until you have to spend 10 hours a day, every day for weeks, on the phone trying to convince people that you aren't who they think you are. Wait until you don't qualify for credit or a home loan because your credit rating was tanked. Wait until you loose your job because the creditors called your boss.

The harm is very real and happens every day.
[ link to this | view in chronology ]
- Anonymous Coward, 5 Nov 2010 @ 6:37am
  
  Re: Re: AJ
  Um...I think you missed the sarcasm...
  [ link to this | view in chronology ]
NullOp, 5 Nov 2010 @ 7:00am

Punishment
Medical records and credit cards at risk. Seems to me this would be a case for a CTO to do some jail time. It would be a great example of how not to mess with critical data. The sooner laws that cover blatant stupidity are enacted, the better. Yeah, like thats gonna happen...
[ link to this | view in chronology ]
harbingerofdoom (profile), 5 Nov 2010 @ 7:33am

i find it rather sad that security breeches such as this with the potential of causing millions in damages would be taken so lightly.

while i dont think it rises to the level of prison sentances, it surely merits more than a mear 60 cents per customer. the breech may have been accidental, but covering it up for three months was not and should have some very strong penalties associated with that action.
[ link to this | view in chronology ]
- harbingerofdoom (profile), 5 Nov 2010 @ 7:33am
  
  Re:
  and yes, i did incorrectly spell a couple words... its early and i have not had enough coffee so shup
  [ link to this | view in chronology ]
kstahmer (profile), 5 Nov 2010 @ 8:55am

It makes sense
Interesting juxtaposition: Insurance firm Wellpoint pays $300,000 for criminally irresponsible late disclosure of its 470,000 medical record security breaches and RIAA is awarded $1,500,000 for 24 illegally downloaded songs.

It makes sense. Why does it make sense?

It makes sense because Insurance firms and RIAA have bought off Congress, which makes the laws, and the criminal justice system, which enforces the laws.
[ link to this | view in chronology ]
Scott, 5 Nov 2010 @ 9:19am

Federal HIPAA fines are ignored again
Sean beat me to the punch; however he is correct in his assessment. Additionally, Wellpoint is exposed to fines of up to $1,000 per record violation which can translate into $470,000,000 in fines as well as significant criminal penalties inclucing $50,000 in fines and up to 1 year of imprisonment. However, it is much more important that we prosecute possible music pirates because they are erroding our freedoms and exposing us to incomprehensible dangers.
[ link to this | view in chronology ]
Anonymous Coward, 5 Nov 2010 @ 9:58am

$300,000 fine? Are you kidding me? Less than a dollar per person is NOTHING to a company like Wellpoint! Seriously, they make $300,000 just by denying ONE patient's cancer treatment! Do you honestly think they care about a measly $300,000? Considering the HUGE bureaucracy of an insurance company, that's probably their annual coffee budget!
Publish an article about the HIPAA fines. I guarantee that will be a SIGNIFICANTLY higher amount!
[ link to this | view in chronology ]
The Devil's Coachman (profile), 5 Nov 2010 @ 10:21am

Wellpoint wants to make more profit, that's why they did it.
The interest of Wellpoint is primarily denying care to its clients, and hoping they die quickly, so if they can have a few of them die of strokes and heart attacks after their identities are stolen and they lose their jobs and are driven into bankruptcy, it suits them very nicely. Otherwise, some of those sumbitches might live long enough to get really expensive diseases, and it's easier to have them dead quickly than to have to fight the appeals of their coverage denials. Sorry, but that's how things actually work in this world, or at least in the US.
[ link to this | view in chronology ]