WellPoint has agreed to pay Indiana $100,000 for waiting months before notifying the state attorney general's office of a data breach affecting 32,000 customers.
Health care insurer
WellPoint has agreed to pay the Indiana attorney general's office $100,000 for
failing to notify officials within a reasonable amount of time of a data breach
affecting 32,000 customers.
Indiana Attorney General
Greg Zoeller filed a
lawsuit against WellPoint
on Oct. 29 for violating two Indiana notification
laws. Each one carried a penalty of up to $150,000 in fines.
Under Indiana's House
Enrolled Act 1121-2009, companies that suffer data breaches must inform
consumers and the attorney general "without unreasonable delay."
The data breach involved the
exposure of Social Security numbers, financial information and health records
through an unsecured Website as part of the insurance policy application
process. An online application program tracker left information exposed from
Oct. 23, 2009, to March 8, 2010.
A consumer notified
WellPoint on two separate occasions-Feb. 22, 2010, and March 8, 2010-that the
data breach had occurred. The insurer then notified 470,000 consumers on June
18, 2010. WellPoint had yet to notify Zoeller's office by that time, however,
and his office contacted WellPoint about the incident July 30, 2010.
The total number of
customers WellPoint notified would later reach 645,000 nationwide.
"The requirement to
notify the attorney general 'without unreasonable delay' is not fulfilled by
having me read about the breach in the newspaper," Zoeller said in a
Based in Indianapolis,
WellPoint is the parent company of health plan Anthem Blue Cross and Blue
"Anthem Blue Cross and
Blue Shield is committed to protecting the privacy and security of our members'
and applicants' personal information," WellPoint said in a statement.
"We have implemented IT security changes to ensure that this situation
will not happen again, and we have received no indication that any information
that may have been accessed has been used inappropriately."
The Indiana attorney
general's office announced the settlement with WellPoint July 5.
As part of the settlement,
the Indiana attorney general will apply WellPoint's $100,000 to the Consumer
Assistance Fund, which gives back to consumers who were affected by the breach
and helped in the investigation.
Meanwhile, WellPoint will
abide by the Disclosure of Security Breach Act and admit failure to notify the
attorney general's office in the time required.
As is customary in data
breaches, WellPoint has agreed to provide two years of credit monitoring and
identity-theft protection to affected customers.
In addition, WellPoint will
pay up to $50,000 to customers for losses from the breach.
Zoeller is offering a credit
freeze to customers at Indianaconsumer.com
so that identity thieves will be unable to open a line of credit.
"Many companies keep
vast quantities of consumers' personal data, and they are required to handle it
confidentially and not carelessly," Zoeller said. "That's not just
good business practice; that's the law," he added.
"This case should be a
teaching moment for all companies that handle consumers' personal data,"
Zoeller continued. "If you suffer a data breach and private information is
inadvertently posted online, then you must notify the attorney general's office
and consumers promptly."
Zoeller advocated paying
attention to early warning signs to avoid data breaches.
Recent data breaches have
occurred at health care facilities such as Arizona
in Tuscon, Ariz., and Henry
Ford Health System
in Detroit, where a lost flash drive left the personal
information of 2,777 patients at risk.