The Indianapolis company said the problem stemmed from an online program customers can use to track the progress of their application for coverage. It was fixed in March.
Spokeswoman Cynthia Sanders said an outside vendor had upgraded the insurer's application tracker last October and told the insurer all security measures were back in place.
But a California customer discovered that she could call up confidential information of other customers by manipulating Web addresses used in the program. Customers use a Web site and password to track their applications.
WellPoint learned about the problem when the customer filed a lawsuit about it against the company in March.
"Within 12 hours of knowing the problem existed, we fixed it," said Sanders, who declined to identify the outside vendor.
WellPoint is the largest commercial health insurer based on membership, with nearly 34 million members. It runs Blue Cross Blue Shield plans in 14 states and Unicare plans in several others.
Sanders said the insurer notified customers in most of its states. That includes about 230,000 customers of its Anthem Blue Cross subsidiary in California.
About 356 million records of U.S. residents have been compromised or exposed due to security breaches since 2005, according to Privacy Rights Clearinghouse, a consumer advocacy group that tracks such reports.
WellPoint's security breach doesn't crack the top 10 in terms of number of people who may have had information exposed, said Paul Stephens, the organization's director of policy and advocacy. Even so, he labeled the breach "very serious" because it possibly involved both financial and medical information.
"There are obviously multiple concerns there for consumers," he said.
Two years ago, WellPoint offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor's office.
WellPoint's latest breach affected only individual insurance customers and not group coverage or people who buy Medicare Advantage insurance. Sanders said the company believes a "vast majority" of the unauthorized access of customer information came from the plaintiff and her attorneys.
The insurer notified all individual insurance customers who had information in its application tracking program from October through March. It will provide a year of free credit monitoring.
WellPoint shares fell 69 cents to $50.10 in Tuesday afternoon trading, while broader trading indexes slid more than 2 percent.