Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.
Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.
This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.
Terms of the settlement include a $150,000 payment and:
"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."
The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.