Home  |  Contact   |   Testimonials   |   Site Map   |  Glossary
Utah Health InsuranceUtah HealthUtah Health Insurance

Your Health History

How Secure is it from Cyber Space Pirates?


FIRST let me assure you that your information with us is protected completely.  I despise scare tactics and unfounded anxiety.  But I have many and I really mean MANY people call me with panic and disgust wishing that they had known better. The last thing I want you to feel is that. I also do not want to insult your intelligence. BUT I don't know what web sites you visited before ours or how they protect you. So you really need to be informed on a few things. Lets review some facts 1st.

Fact #1 Health insurance carriers that are local to Utah (IHC HEALTH PLANS, Regency Blue Cross Blue Shield, ALTIUS) hold databases on you for claim payments made and types of claims received.  These databases are internal and not readily accessible from cyberspace or the internet in general.  Therefore "Cyber Pirates" cannot cyberly reach your information.  Some of these insurance carriers will give you online service to access your claim history but it is vague to protect you by security methods. Only deal with local carriers or certain national carriers that we approve.

Fact #2 "Health Insurance" websites that you find on the internet, including ours (although we feel we are more an informational site that aides) are designed to market health insurance policies to online shoppers. It is a wonderful mechanism if the site you are on is interactive to help you understand differences between policies and insurance companies.
Fact #2a
Some of these web sites are set up to allow you to enroll into a health insurance policy for APPROVAL online through cyberspace. Or another way of saying this is that you fill out an health application through that   web site to apply for coverage. You answer health questions, you give details to medical conditions you have or had, you give details to prescriptions you have and had been on, you disclose health conditions you have or had, you disclose surgeries you had, you basically disclose your health history.  Guess what....it is recorded into a online database which is reachable by "Cyber Pirates". These types of websites than transfer your information through cyberspace to the insurance carrier's underwriter.

Fact #3 Our system never requires you to complete an application for health insurance "ONLINE". You recall that we mailed you an application.  Or you had the ability to download an OFFICIAL CARRIER APPROVED application and print to complete manually.  Or you could had downloaded a programmed "interactive" application in which you were able to complete on your own computer screen and print. The application had to be completed all at one sitting which meant you COULDN'T SAVE IT and come back to it later which puts you at risk.
Fact #3a WE DO NOT sell your contact information to insurance agents eager to sell you a policy. We have seen that folks information for purpose of "contacting" has been sold several times over (without your permission) and rotated to many different informational sources for marketing. Many health insurance web sites simply tell you that it is advantageous to have several agents contact you. Well...as many of you know they certainly do along with several dozen others.  These sites make money on selling your information as a LEAD.
Fact #3b Our security standard for your health insurance application process is completely protected. Yes it requires some manual work on your part BUT is well worth your protection in light of today's developing cyber world. We use Adobe Acrobat platform which is widely recognized and in fact is really the only safe  "DOWNLOADABLE" forms available in the cyberspace world.


Fact #4 What are governmental organizations doing to protect you?  This is important to be part of the GOOD NEWS of HISTORY in the making and not the BAD NEWS. We belong to and are approved by which holds us to the highest standards of "Privacy".  Yes you will see this symbol on other insurance web sites BUT did you have to complete health questions through their site?  Was it protected?  I would suggest "NO" because of what I have heard at the "water cooler" and what TRUSTe reports to its members.

They say the following>>>

April 2005 : Volume 2 : Number 4 : policy@truste.org
TRUSTe Policy Flash : A Monthly Email Update Helping You Stay Current with Privacy Legislation

In this issue:

This month’s Policy Flash examines state legislation proposed to increase data security standards and notification requirements. So far this year state legislatures in 31 states have introduced 74 bills in response to recent data-security lapses by major organizations. This edition also addresses important news from the Federal Trade Commission (FTC) on the issue of commercial Web sites' responsibility for the information practices of service providers.

By Emily Hackett
Executive director, Internet Alliance


Data security is the number-one Internet and information industry issue in the states this year.

Breaches at ChoicePoint, DSW Shoe Warehouse, LexisNexis, and American Express have made consumers nervous about the security of their personal information in the data banks of private companies.

The University of California, Berkeley, is the latest public institution to report a computer security breach. This time the safety of tens of thousands of names, birth dates, Social Security numbers, and addresses was compromised when a laptop was stolen. This is the second time this month that a California university has reported a breach. Hackers also broke into the housing and food-services computer system at California State University, Chico. The system contained personal information belonging to 59,000 current, former, and prospective students, as well as faculty and staff.

States Respond

States are responding to consumer complaints by advancing security-breach notification legislation. Private and public databases are included in the debate. As we saw during the spam debates, state legislatures are more nimble than Congress, and will act before the federal legislative branch. Thirty-six states passed spam laws in the five years before Congress finally passed the CAN-SPAM Act.

All 50 states meet in 2005 and 43 remain in session. So far this year state legislatures in 31 states have introduced 74 bills proposing increased data security standards and notification requirements.

California passed the first data security breach law in 2002 (SB 1386/Chapter 915) before the recent problems had even occurred. Most new bills start out looking like the California law. There are three types of bills:

  1. The California Model. Thirty-nine of the bills (pending in 19 states) are modeled after the California law, which does the following:

    • The law requires companies to notify customers of security breaches that may have resulted in the release of their sensitive personal and financial information. The law does not set a timeframe for when a company must notify consumers. Instead, a “disclosure shall be made in the most expedient time possible and without unreasonable delay.”
    • The law defines "personal information" to mean an individual's first name or first initial and last name in combination with one or more personal identifying data elements, when either the name of the individual or the personal data elements are not encrypted. The Internet Alliance is lobbying to strike the words “either the name or.” Otherwise, the law could be interpreted to mean that any data containing someone’s name must be encrypted.
    • The law allows companies to choose what method they may use to notify consumers: mail, email, Web site posting, or mass media.
  2. Broader or More Restrictive than California. Almost half of the states are proposing broader definitions of personal information, do not address encrypted information, capture paper files, and/or contain additional information regulating data. Twenty-seven of such bills are pending in 14 states. Montana’s HB 732 is drafted so broadly that it would require a business to share confidential business information with a competitor.
  3. Apply Only to State Government. The remaining six bills pending in five states (Indiana, North Dakota, Texas, Virginia, and Washington) single out state agencies.

The Role of Industry

How should industry respond to this flurry of state legislation? The Internet Alliance recommends the following responses:

  • Promote the California model.
  • Work in all states that consider the legislation.
  • Keep thee definition of “personal information” narrow.
  • Limit the requirement to computer files, not to paper as well.
  • Keep the debate focused on data-security breaches and avoid opening up the Internet privacy debate again.
  • Promote a reasonable bill in the U.S. Congress.
  • Promote industry as responsible stewards of personal information.


By Martha Landesberg
Senior policy advisor, TRUSTe


There is important news from the Federal Trade Commission (FTC) on the issue of commercial Web sites’ responsibility for the information practices of their service providers. On March 10, the FTC announced a settlement with Vision I Properties, LLC, dba CartManager International, a provider of shopping cart services for Web sites. The case has far-reaching implications for commercial Web sites that use service providers to manage personal information gathered in commercial transactions.

CartManager’s software enables “shopping cart” and “checkout” functionality on its merchant customers’ Web sites. When consumers make a purchase, they enter their contact and credit card information onto Web pages that look like the merchants’ Web sites, although the Web pages are in fact on CartManager’s server.

CartManager’s standard contract provided that all personal information collected through its shopping cart and checkout pages was the property of CartManager. However, the FTC alleged that this provision was hidden among other contract terms and that CartMananger failed otherwise to emphasize this point in its dealings with merchants. A number of CartManager’s clients had Web site privacy statements or “terms and conditions” statements indicating that they did not sell, rent, or share personal information collected on their Web sites.

According to the FTC, CartManager sold almost one million names, addresses, and purchase histories it had gathered -- without notifying its merchant clients -- to third parties for the purposes of marketing products and services by mail and by telephone. CartManager did so, the FTC alleged, despite the disclosures in the merchants’ privacy statements that personal information would not be shared, and in violation of representations in CartManager’s standard contracts that it would abide by the merchants’ Web site terms and conditions. The FTC alleged that CartManager’s actions were both deceptive and unfair.

The settlement prohibits CartManager from disclosing the personal information it collected before the settlement date, and requires CartManager to disgorge profits it made from its sale of that personal information. Most significant, it requires CartManager to provide clear and conspicuous notice to both its merchant customers and consumers that the personal information collected on its shopping cart and checkout pages is subject to CartManager’s privacy statement and will be shared with third parties.

Although the FTC brought this case against a service provider, it has sent a clear signal that companies must (1) be vigilant about their service providers’ information practices; (2) take steps necessary to bring those practices in line with their own practices for handling personal information; and (3) review their own public-facing privacy statements for accuracy regarding both their own and their service providers’ practices. Based upon public statements by FTC officials, it seems likely that the commission will ultimately take action against companies who fail to look into their service-providers’ information practices. As FTC Bureau of Consumer Protection director Lydia Parnes has said,


“Companies and service providers must make sure that their privacy policies are in sync. . . . A service provider cannot secretly collect and rent consumers’ personal information contrary to a merchant’s privacy policy. At the same time, merchants have an obligation to know what their service providers are doing with consumers’ personal information.”


TRUSTe will continue to keep you apprised of developments at the FTC that relate to the privacy of customer information.

©2005 TRUSTe. All rights reserved.
TRUSTe presents the views and opinions of our contributing authors, and does not necessarily share or endorse these views.