"This information breach is only the latest in a disturbing series of cases where nonpublic personal information has been subjected to unauthorized access," Blumenthal said. "In this era of increasing reliance on technology, it is vitally important that companies entrusted with nonpublic personal information employ the highest levels of security."
The breach, reported Wednesday by The Courant, involved the online application process used by people shopping for individual health insurance in 10 states.
WellPoint says it notified insurance regulators of the breach on June 18, including Blumenthal's office and other state agencies.
"We are willing to share any information and respond to questions from Attorney General Blumenthal, regulators and Anthem members regarding this issue," said WellPoint spokeswoman Sarah Yeager. "We are currently reviewing the attorney general's request for extending the identity protection services for individuals in Connecticut to two years."
WellPoint hired a computer company to update security of the online system in October, but the contractors left a glitch. A person tinkering with the URL address learned that she could look at other people's applications, which include a person's name, Social Security number, credit card information, health information and medical history. Besides Connecticut, the breach affected Anthem and WellPoint customers in California, Colorado, Indiana, Kentucky Missouri, Nevada, New Hampshire, Ohio, and Wisconsin.
Blumenthal is asking WellPoint to provide the same protection he says other companies have offered in similar breaches: at least two years of credit monitoring, a minimum of $25,000 of insurance for identity theft and expenses related to a security freeze on credit accounts.
This is the latest of several information breaches involving medical data and personal information taken from an insurance company or hospital in recent years. Last year, a hard drive with seven years of personal and medical information of about 1.5 million Health Net customers, including 446,000 in Connecticut, was lost or stolen.
In February, a radiologist who formerly worked at Griffin Hospital in Derby broke into a computer archive system over several weeks and accessed medical information of 957 patients. In some cases, the patients were contacted by the doctor who was selling his professional services at a different hospital in the area.