Health care insurer WellPoint has agreed to pay the Indiana attorney general's office $100,000 for failing to notify officials within a reasonable amount of time of a data breach affecting 32,000 customers.
Indiana Attorney General Greg Zoeller filed a lawsuit against WellPoint on Oct. 29 for violating two Indiana notification laws. Each one carried a penalty of up to $150,000 in fines.
Under Indiana's House Enrolled Act 1121-2009, companies that suffer data breaches must inform consumers and the attorney general "without unreasonable delay."
The data breach involved the exposure of Social Security numbers, financial information and health records through an unsecured Website as part of the insurance policy application process. An online application program tracker left information exposed from Oct. 23, 2009, to March 8, 2010.
A consumer notified WellPoint on two separate occasions-Feb. 22, 2010, and March 8, 2010-that the data breach had occurred. The insurer then notified 470,000 consumers on June 18, 2010. WellPoint had yet to notify Zoeller's office by that time, however, and his office contacted WellPoint about the incident July 30, 2010.
The total number of customers WellPoint notified would later reach 645,000 nationwide.
"The requirement to notify the attorney general 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper," Zoeller said in a statement.
Based in Indianapolis, WellPoint is the parent company of health plan Anthem Blue Cross and Blue Shield.
"Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information," WellPoint said in a statement. "We have implemented IT security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately."
The Indiana attorney general's office announced the settlement with WellPoint July 5.
As part of the settlement, the Indiana attorney general will apply WellPoint's $100,000 to the Consumer Assistance Fund, which gives back to consumers who were affected by the breach and helped in the investigation.
Meanwhile, WellPoint will abide by the Disclosure of Security Breach Act and admit failure to notify the attorney general's office in the time required.
As is customary in data breaches, WellPoint has agreed to provide two years of credit monitoring and identity-theft protection to affected customers.
In addition, WellPoint will pay up to $50,000 to customers for losses from the breach.
Zoeller is offering a credit freeze to customers at Indianaconsumer.com, so that identity thieves will be unable to open a line of credit.
"Many companies keep vast quantities of consumers' personal data, and they are required to handle it confidentially and not carelessly," Zoeller said. "That's not just good business practice; that's the law," he added.
"This case should be a teaching moment for all companies that handle consumers' personal data," Zoeller continued. "If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general's office and consumers promptly."
Zoeller advocated paying attention to early warning signs to avoid data breaches.
Recent data breaches have occurred at health care facilities such as Arizona Medical Center in Tuscon, Ariz., and Henry Ford Health System in Detroit, where a lost flash drive left the personal information of 2,777 patients at risk.