UnitedHealthcare posted the Social Security numbers of doctors at Columbia University's faculty practice on a public Web site in a breach of security that exposed the doctors to identity theft.
The sensitive information was loaded on Oct. 31 and taken down Nov. 2.
United posted the taxpayer identification numbers, some of which were Social Security numbers, alongside the names of 993 providers at Columbia who participate in the insurer's network. The list was supposed to be accessible to Columbia employees during the current open enrollment period.
A United spokesman said the tax ID "inadvertently" included Social Security numbers, which were removed once the insurer was informed of the error. A forensic analysis showed there were some non-Columbia computers that downloaded the information, says the spokesman.
United complied with Columbia's request to notify the doctors, sent a company representative onsite to answer the doctors questions, and provided one-year protection from Equifax. Columbia's legal department will monitor whether fraud occurs. For now, most of the information appears to have been accessed by "legitimate Columbia addresses," says the spokeswoman.