WellPoint, the Indianapolis-based corporate parent of Indiana's Anthem Blue Cross and Blue Shield as well as Blues plans in 13 other states, has agreed to pay a $100,000 penalty and provide up to two years of credit monitoring and identity-theft protection for 32,000 Hoosiers in a security-breach settlement, Indiana Attorney General Greg Zoeller announced.
"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general's office and consumers promptly," Zoeller said in a news release. "Early warning helps minimize the risk that consumers will fall victim to identity theft."
Zoeller sued WellPoint in October over the breach, which lasted at least 137 days between October 2009 and March 2010 and involved hundreds of thousands of individuals whose personally identifiable information, gleaned from online applications for insurance coverage, was exposed. The breached personal data included names and Social Security numbers and other healthcare information. Zoeller originally sought a $300,000 penalty.
The enforcement action was brought under a 2009 Indiana law that requires companies that experience data breaches to notify their consumers and the attorney general without unreasonable delay.
A consumer notified WellPoint in February 2010 and again in March of that year that records containing personal information possibly could be accessed inappropriately, according to the release. WellPoint didn't notify 470,000 breach-affected customers nationwide until June 2010, the release noted. It later expanded the notification 645,000 customers. Not until after the breach made news reports and Zoeller's office submitted an inquiry to WellPoint did the attorney general receive a response about the incident, on July 30, according to the release.