The New York Times reports that health insurance company Anthem Blue Cross sent e-mails to some customers that contained sensitive information in the subject lines:
On Monday, in a similar error, some California residents received emails from their health insurer, Anthem Blue Cross, with personal details about them contained in the subject line.
The text of the emails encouraged members to visit their doctors for checkups and to discuss certain medical screening tests. […]
But the emails’ subject lines included member-specific demographic details like age range and language. They also listed possible medical screening tests — marked “Y” for recommended tests and “N” for tests not listed in the email. […]
Kristin Binns, a spokeswoman for Anthem Blue Cross, said the company was looking into the matter. Anthem Blue Cross is the trade name for Blue Cross of California. […]
California has a law requiring businesses to notify California residents, within a reasonable time period, if their unencrypted personal information — including medical history, mental or physical condition, medical treatment or diagnosis by a health care professional — might have been involved in a security breach. It is the first state to enact such a data breach notification law.
It is unclear whether the emails sent on Monday will require a breach notification.