Data Breach Prompts Indiana to Sue Health Insurer WellPoint

Indiana Attorney General Greg Zoeller has filed a lawsuit against insurance company WellPoint for delaying notification of a data breach to the AG's office and to the more than 32,000 customers in Indiana affected.

The suit claims that WellPoint violated two Indiana notification laws with each one carrying a penalty of up to $150,000 in fines, according to Molly Butters, a spokesperson for Zoeller's office.

"Effective July 2009, there's a new law that requires database owners to notify those two groups within a reasonable period of time," Butters said, referring to House Enrolled Act 1121. "After our investigation, we determined that WellPoint did not notify either their customers or our office in a reasonable period based on the information that we uncovered and is in the complaint," she told eWEEK.

Since the law is new, this is the first time the Indiana AG office has filed a data breach complaint, Butters said.

WellPoint became aware of the breach on March 8, and Zoeller's office found out about the breach in an Indianapolis Star report in June, according to Butters.

"If it would impact the investigation in some way, then delaying notifying the public is considered reasonable," Butters said. "In this case, that didn't happen. Law enforcement hadn't directed WellPoint to delay their notification."

Zoeller's office submitted a written inquiry to WellPoint in early July, WellPoint responded on July 30 and the Indiana AG's office filed its suit on Oct. 29.

WellPoint began notifying customers on June 18.

WellPoint was upgrading an authentication and log-in application on the company's application Website, in SiteMinder, when it failed to implement security protections. A potential identity thief would be able to alter a URL to view applicants' personal data.

The data was publicly accessible through an unsecured Website from October 2009 to March 2010, according to the Indiana AG office.

In addition to Indiana, the breach exposed the information for applicants in nine other states: California, Colorado, Connecticut, Kentucky, Missouri, Nevada, New Hampshire, Ohio and Wisconsin.

About 470,000 WellPoint customers may have been affected overall, according to the insurer.

The office of Connecticut Attorney General Richard Blumenthal investigated the case earlier this year involving 5,600 WellPoint customers, according to the Hartford Courant. "We did reach a settlement with them, and they did agree to provide two years of credit protection to the affected people," the Connecticut AG's office told eWEEK.

The compromised applications for WellPoint insurance policies included Social Security numbers, health records and financial data, the Indiana AG office reports.

While the Indiana attorney general's identity theft unit carries out its investigation, it has encouraged affected WellPoint applicants to get a credit check and security freeze, which Indiana residents can obtain for free. 

The Indiana attorney general's office went the local route in filing the suit rather than filing under the federal HIPAA or HITECH Acts because of the stiffer penalties involved at the state level, Butters said. The federal laws would involve penalties of about $25,000 compared with about $150,000 each at the state level, Butters said. 

No consumer complaints have resulted from the WellPoint breach, according to the Indiana attorney general's office. 

WellPoint offers health insurance through Anthem Blue Cross and Blue Shield.

"Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations," WellPoint said in a statement to eWEEK.

Since the breach occurred, WellPoint has taken some security steps to prevent a reoccurrence of the breach, the company said in a statement. 

"In fact, though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield explaining what happened, and was offered identity protection services for one year at no cost," WellPoint said. 

Meanwhile, Connecticut customers will get two years of identity protection, according to the state's AG office. 

Accidental breaches such as these often don't result in fraud compared with a case involving intentional theft, according to Butters. 

"If there was an intentional theft of data, those often result in some fraud or identity theft taking place within a week or so," Butters said. "But that's not the situation."