California Attorney General Kamala Harris said that her office has settled the lawsuit for $150,000. Anthem Blue Cross was facing legal action after sending policyholders auto-generated letters that not only had their full Social Security numbers printed on them, but also clearly showed those numbers through the clear plastic window in the envelopes. The letters were sent to 33,756 Medicare Supplement and Medicare Part D subscribers between April 2011 and March 2012.
The Social Security numbers were included as part of priority codes for marketing purposes and on payment letters.
As a result, Harris’ office found Anthem in violation of a state law that restricts the disclosure of Social Security numbers, and filed a complaint against Anthem in Los Angeles Superior Court.
For its part, Anthem Blue Cross said that it suspended mailings as soon as the company became aware of the problem. The company also said that it implemented training and processes to correct the error and developed an alert system that will notify officials when sensitive data are requested by the marketing department. As part of the settlement terms, it is also providing enhanced data security training for all associates and is restricting employee access to members' Social Security numbers.
"Our office is committed to protecting the privacy of Californians," Harris said. "This settlement requires the company to make significant improvements to its data security procedures to ensure this type of error does not happen again."
Meanwhile, the damage from the breach has been limited, Anthem said. "There is no indication of a data breach or that any information from these mailings was used in a way that was detrimental to our members,” said Anthem spokeswoman Leslie Porras, speaking to the Sacramento Business Journal. She said that those affected were notified and offered free credit monitoring. The company website however makes no mention of the issue.
The incident is a good example of the problem that healthcare industry observers say is a prime security problem: the lack of focus on patient data security. Recent studies show that flaws in internal data handling processes—as happened with Anthem—and the lack of security awareness on the part of employees in healthcare systems lead to the biggest issues.