Health insurance giant WellPoint has already annoyed its customers by trying to jack up their rates and dropping breast cancer patients’ coverage after they’d been diagnosed with the disease. But now they really have some explaining to do, after a security breach exposed medical records, credit card numbers and other information of 470,000 customers.

WellPoint says the fault, dear readers, lies not within their hands, but in the hands of an outside vendor hired last October to update an application on the company’s website.

The vendor had supposedly promised WellPoint that all security measures were back in place after the upgrade was performed.

Except not.

Soon after the upgrade, a woman in California discovered that, by playing around with the URL, she could call up confidential information of other customers.

According to WellPoint, they had the leak fixed within 12 hours of learning about it and subsequently filed suit against the unnamed outside vendor. However, that doesn’t erase the fact that customers’ accounts were exposed between October 2009 and March 2010.

The insurance company, the nation’s largest health provider by policyholders, has sent out notices to customers whose accounts were exposed. It will provide a year of free credit monitoring to those exposed customers.

This isn’t the first time WellPoint has had to issue a “our bad” following a security breach. In 2008, information for around 128,000 customers was exposed. To atone, the company also offered free credit monitoring to affected customers.

And way back in 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.

Security glitch exposes WellPoint customers’ financial, medical data [USA Today]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.