If You Discover A Privacy Data Breach, You Probably Shouldn't Wait Three Months To Tell Users

from the fined dept

Insurance firm Wellpoint apparently left its medical records easily exposed on its servers from last October until March, exposing 470,000 users' medical records, credit card numbers and "other sensitive info." The company discovered the breach in February, but apparently waited until June to tell users. The company has now been fined $300,000 for not promptly notifying users, though that does seem like a rather low number considering how many records were apparently exposed...


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    IronM@sk, Nov 5th, 2010 @ 4:02am

    Punishment Fits The Crime?

    A single mum is ordered to pay $1.5m for illegally downloading 24 songs yet this company gets basically a slap on the wrist for exposing pretty important data. Yeah.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Berenerd (profile), Nov 5th, 2010 @ 4:23am

      Re: Punishment Fits The Crime?

      Listen here bub...when you have the payroll like RIAA does of Federal Senators and lobbiests...you would get big bucks like them too...gawd...always picking on the hard working record company who only cares about it's artists...THINK OF THE DOLPHINS!


      /sarc

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      AJ, Nov 5th, 2010 @ 4:24am

      Re: Punishment Fits The Crime?

      Does seem strange at first, but once you think about it, it makes perfect since.

      What the company did was an accident, they had no intention of harming thousands of people by not protecting their computer systems, I mean really... whats your SSN, credit card number, and medical history really worth these days? It's not like anyone can harm you with that data, and if they could, you would have to prove that in court... besides, it would probably cost a fortune to take that company to court, they may actually have some cash on hand and be able to defend themselves....

      On the other hand, that evil mum had to be tought a lesson, she was obviously attacking the music industry and causing it millions of dollars in damages by not paying for those 24 or so songs... there had to be an example set for all the other evil mums of the world..... and really, who cares about one mum?

      One song = $60,000
      One medical = record/credit card/ whatever = $634 +/-
      One mum = worthless......

      /sarc

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    marak (profile), Nov 5th, 2010 @ 5:24am

    You too for the low price of $1.56 can also give out anyones personal info. Call now special offer.

    And if you order in the next 15 minutes, you can get a double cd - yes 24 songs - for the bargain price of $1.5M

    Where can i sign up?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Pete Austin, Nov 5th, 2010 @ 5:27am

    Re: Punishment Fits The Crime?

    Those 470,000 Americans who let their personal details get leaked by this company have only themselves to blame. They are not forced by law to get medical insura... Oh wait...
    http://www.health.com/health/condition-article/0,,20359522,00.html

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Wolfy, Nov 5th, 2010 @ 5:59am

    Regarding all the mouth-noise about the Gov't making you buy health insurance (the horror!)... all the rethuglicans were all up in arms. What you didn't hear (from the media or anyone else for that matter)was that party was the one pushing mandatory property insurance and mandatory car insurance. It seems they have problems with double standards.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 5th, 2010 @ 6:01am

    It should have been a 3 million dollar fine. Exposing sensitive information to the web should have gotten someone locked up. In my book that's aiding and abetting criminals and smacks of conspiracy. Even the stupid administrators being pushed out of trade schools are taught better than that in security class.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 5th, 2010 @ 6:35am

    Re: AJ

    You said "It's not like anyone can harm you with that data"

    It sounds like you have never been the victim of identity theft. Wait until creditors start calling you because someone opened up a dozen long distance accounts in your name and they are all delinquent. Wait until a hospital refuses to give you care because someone claimed to be you and skipped on the bill. Wait until you have to spend 10 hours a day, every day for weeks, on the phone trying to convince people that you aren't who they think you are. Wait until you don't qualify for credit or a home loan because your credit rating was tanked. Wait until you loose your job because the creditors called your boss.

    The harm is very real and happens every day.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    NullOp, Nov 5th, 2010 @ 7:00am

    Punishment

    Medical records and credit cards at risk. Seems to me this would be a case for a CTO to do some jail time. It would be a great example of how not to mess with critical data. The sooner laws that cover blatant stupidity are enacted, the better. Yeah, like thats gonna happen...

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    harbingerofdoom (profile), Nov 5th, 2010 @ 7:33am

    i find it rather sad that security breeches such as this with the potential of causing millions in damages would be taken so lightly.

    while i dont think it rises to the level of prison sentances, it surely merits more than a mear 60 cents per customer. the breech may have been accidental, but covering it up for three months was not and should have some very strong penalties associated with that action.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    kstahmer (profile), Nov 5th, 2010 @ 8:55am

    It makes sense

    Interesting juxtaposition: Insurance firm Wellpoint pays $300,000 for criminally irresponsible late disclosure of its 470,000 medical record security breaches and RIAA is awarded $1,500,000 for 24 illegally downloaded songs.

    It makes sense. Why does it make sense?

    It makes sense because Insurance firms and RIAA have bought off Congress, which makes the laws, and the criminal justice system, which enforces the laws.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Scott, Nov 5th, 2010 @ 9:19am

    Federal HIPAA fines are ignored again

    Sean beat me to the punch; however he is correct in his assessment. Additionally, Wellpoint is exposed to fines of up to $1,000 per record violation which can translate into $470,000,000 in fines as well as significant criminal penalties inclucing $50,000 in fines and up to 1 year of imprisonment. However, it is much more important that we prosecute possible music pirates because they are erroding our freedoms and exposing us to incomprehensible dangers.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Nov 5th, 2010 @ 9:58am

    $300,000 fine? Are you kidding me? Less than a dollar per person is NOTHING to a company like Wellpoint! Seriously, they make $300,000 just by denying ONE patient's cancer treatment! Do you honestly think they care about a measly $300,000? Considering the HUGE bureaucracy of an insurance company, that's probably their annual coffee budget!
    Publish an article about the HIPAA fines. I guarantee that will be a SIGNIFICANTLY higher amount!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    The Devil's Coachman (profile), Nov 5th, 2010 @ 10:21am

    Wellpoint wants to make more profit, that's why they did it.

    The interest of Wellpoint is primarily denying care to its clients, and hoping they die quickly, so if they can have a few of them die of strokes and heart attacks after their identities are stolen and they lose their jobs and are driven into bankruptcy, it suits them very nicely. Otherwise, some of those sumbitches might live long enough to get really expensive diseases, and it's easier to have them dead quickly than to have to fight the appeals of their coverage denials. Sorry, but that's how things actually work in this world, or at least in the US.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This