WellPoint Inc has warned some 470,000 people who applied for its health insurance that a website security glitch may have exposed their Social Security numbers and other sensitive data to the public.
The top U.S. health insurer by membership learned of the problem in March when an applicant sued the company, saying she was able to obtain information in other people's applications for health insurance by manipulating URLs to a site that tracks membership applications, said WellPoint spokeswoman Cindy Sanders.
WellPoint quickly fixed the glitch, which was introduced in October by a contractor who upgraded the site, according to Sanders.
The company believes that the security glitch was exploited to access information on 940 insurance applications. Separately, unauthorized viewers accessed spreadsheets that in rare cases contained Social Security numbers, Sanders said.
WellPoint is doing forensic work to identify the applicants whose data was compromised.
At this time we don't know exactly whose information was accessed, she said.
In the meantime, WellPoint has offered one year of identity-theft protection services to all 470,000 applicants.
Sanders declined to say how much it would cost WellPoint to provide those services and pay for other expenses related to the security breach.
It affected applicants for individual health insurance policies under the age of 65, she said. WellPoint members who obtain their insurance through their employer were not affected.
The insurer does business in 14 U.S. states including California, Colorado, Indiana, Ohio, Nevada and Wisconsin.
Its shares were down 2.2 percent at $49.69 on the New York Stock Exchange on Tuesday afternoon. That was a narrower decline than the 3.4 percent drop in the S&P 500 Index.
(Reporting by Jim Finkle, editing by Matthew Lewis)