Indiana Attorney General Greg Zoeller has filed suit against Indianapolis-based WellPoint, the largest U.S. health insurance company, for failure to meet state requirements for prompt notification of a breach of customer information.
According to Zoeller, more than 32,000 WellPoint customers were affected when their personal information, including Social Security numbers, financial information and health records, from applications for insurance was made accessible to others via a WellPoint website. The breach lasted for at least 137 days between October 2009 and March 2010.
According to Zoeller's complaint, filed Oct. 29 in Marion County Circuit Court in Indianapolis, "it was possible for an applicant to access tools on WellPoint's website that would allow the applicant to view personal information that belonged to and was submitted by other applicants."
WellPoint was notified of the breach on Feb. 22, 2010, by a customer who had applied for insurance for her son and then discovered her son's information had been exposed, according to Molly Butters, public information officer for the consumer protection division of the attorney general's office.
On March 4, WellPoint tried unsuccessfully to contact the woman who had complained but did not further investigate her claim, according to the attorney general's complaint. On March 8, the woman sued and "WellPoint investigated the complaint and took steps" within 12 hours to secure the information, according to the complaint.
WellPoint did not begin notifying customers of the security breach until June 18, according to the complaint.
Following news reports of the breach, the attorney general's office submitted an inquiry to WellPoint. It received a response on July 30.
Indiana law doesn't specify a time limit for notification but requires that it occur "without unreasonable delay," according to the complaint. The delays in notice to customers and to the attorney general's office were considered unreasonable, according to the complaint. The state is seeking $300,000 in civil penalties.
In an e-mailed statement, Cindy Sanders, regional director of public relations at WellPoint, noted that “As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again.” Since then, Sanders said, “out of an abundance of caution,” each applicant received a detailed notification “explaining what happened, and was offered identity protection services for one year at no cost.”