Insurance Applications Exposed
Image credit: Peqsels

Insurance Applications in the Hundreds of Thousands Exposed

Insurance technology startup BackNine has announced that it has made public hundreds of thousands of insurance applications. This happened after one of its web host left cloud servers without protection on the internet.

TechCrunch reports that the California-based startup develops back-office software to assist larger insurance companies. The larger companies sell and maintain life and disability insurance policies. Chances are good that BackNine may have processed your personal information if you applied for insurance in the past several years.

The startup partners with some of America’s largest insurance carriers. Many of the insurance applications found in the exposed bucket were for Prudential TransAmerica, John Hancock, Lincoln Financial Group, and AIG.

In addition to this work, BackNine also provides a white-labeled “web form” for smaller or independent financial planners who sell insurance plans on their own websites.

Amazon’s cloud hosts BackNine’s storage servers. The startup says that Amazon misconfigured this server to permit members of the public access to the more than 711,000 files inside. This data includes completed insurance applications that contain applicants’ extremely sensitive personal and medical information. Moreover, the files contained images of individuals’ signatures and other internal BackNine files.

Insurance Applications Form
Insurance Applications Form
Image credit: Peqsels

Editors at TechCrunch reviewed some of the materials and found contact information, such as full names, addresses, and phone numbers, along with also Social Security numbers, medical diagnoses, medications taken and detailed completed questionnaires about an applicant’s health, past and present.

Other files for insurance applications included lab and test results, like blood work and electrocardiograms. Plus, there were applications that contained driver’s license numbers. The exposed documents date back to 2015, and as recently as this month.

Amazon names its storage servers “buckets,” which are private by default. However, it BackNine’s case, someone with control of the buckets appears to have changed its insurance applications permissions to public. Sadly, none of the data was encrypted.

Amazon Web Services (AWS) is an adopted cloud platform that offers more than 200 fully-featured services from global data centers. Millions of customers — including fast-growing startups — use AWS.

Its website says that AWS plans to be “the most flexible and secure cloud computing environment available today.” The company has designed its core infrastructure to satisfy the security requirements for the military, global banks, and other high-sensitivity organizations. AWS says

[T]his is backed by a deep set of cloud security tools, with 230 security, compliance, and governance services and features. AWS supports 90 security standards and compliance certifications, and all 117 AWS services that store customer data offer the ability to encrypt that data.

TechCrunch contacted BackNine vice president Reid Tattersall but received no response. However, within minutes of providing Tattersall with the name of the exposed bucket, the data was locked down. The news source asked Tattersall if the startup alerted local authorities per state data breach notification laws. Alternative, did the company have any plans to notify the affected individuals who suffered data exposure? They didn’t get an answer.

Companies can face stiff financial and civil penalties for failing to disclose a cybersecurity incident such as exposing insurance applications. BackNine is based in California, a state with some of the most aggressive data protections laws in the country. The California Consumer Privacy Act provides for the imposition of penalties for violations. The California Attorney General’s Office is authorized to seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation.

The CCPA applies to for-profit organizations that operate in California and satisfy one of these criteria:

  • Annual revenues of $25 million or more;
  • Buying, selling, receiving, or sharing the personal data of more than 50,000 consumers per year for commercial purposes; or
  • Deriving more than half of annual revenues from the sale of California consumers’ personal information.

These criteria could render BackNine liable for exposing client insurance applications.

Ryan Carpenter serves as Attorney and Managing Director of Carpenter Wellington. Ryan advises clients across a broad set of corporate and commercial matters.