Health insurer WellPoint Inc. will pay the State a $100,000 settlement over a data breach where the personal information of thousands of WellPoint customers was potentially accessible via the Internet. The settlement resolves a lawsuit that Indiana Attorney General Greg Zoeller’s office filed under a new data-breach notification law passed in 2009.
“This case should be a teaching moment for all companies that handle consumers’ personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General’s Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft,” Zoeller said.
The data breach occurred when applications for individual insurance policies submitted to WellPoint – containing social security numbers, financial information and health records — were potentially accessible through an unsecured web site from October 23, 2009, to March 8, 2010. The records of 32,051 people in Indiana were potentially accessible through the online application tracker website operated by companies owned by or affiliated with WellPoint for potentially anyone to see.
A notification to WellPoint was made by a consumer February 22, 2010, and again on March 8, 2010, that records containing personal information were potentially accessible. Upon notification, WellPoint immediately secured the site.
Consumers were notified of the data breach beginning June 18, 2010. Although required by law to also simultaneously notify the Attorney General’s Office of a data breach, WellPoint did not immediately do so. News reports of the data breach prompted the Attorney General’s Office to initiate the contact to WellPoint on July 30, 2010, and launch an inquiry.
Under a recent state law, House Enrolled Act 1121-2009, companies that experience data breaches must notify both their consumers and the Attorney General “without unreasonable delay.” Prompt notice allows consumers to take precautions to mitigate the risk of identity theft.
“The requirement to notify the Attorney General ‘without unreasonable delay’ is not fulfilled by having me read about the breach in the newspaper,” Zoeller noted.
As the arm of state government that enforces data privacy laws, the Attorney General filed suit against WellPoint on October 29, 2010, alleging violations of the Indiana Disclosure of Security Breach Act. Filed in Marion County Civil Superior Court 6, the case sought an injunction and civil penalties.
To resolve the litigation and end the lawsuit, WellPoint has agreed to do the following:
- Pay a settlement of $100,000 to the State that the Attorney General’s Office can use in the Consumer Assistance Fund, which provides restitution to certain consumers who were defrauded and provided assistance in investigations of the fraud.
- Agree to comply with the Indiana Code 24-4.9, the Disclosure of Security Breach Act.
- Admit that WellPoint had a security breach and failed to properly notify the Attorney General’s Office as required by law.
- Provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach.
- Provide reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the breach.
The settlement agreement was filed in court June 23 and the court last week granted the State’s motion to dismiss the lawsuit.
During the breach, consumers’ private data was accessible online for approximately 137 days, and one consumer lodged a complaint about possible identity theft as a result of it. Approximately 645,000 consumers nationwide eventually were notified about the breach.
Zoeller urges all consumers, not just those in the WellPoint case, to visit the Attorney General’s web site atwww.indianaconsumer.com to register for a credit freeze through the Attorney General’s Office. The free service will prevent an identity thief from opening a line of credit in the consumer’s name, even if the consumer’s personal information is stolen. Complaints about possible identity theft can be filed at the same web site.
In 2009, Zoeller advocated for passing a new state law the Legislature enacted that session that now requires companies, in the event of a security breach, to notify consumers and the Attorney General’s Office without unreasonable delay. Companies who detect an internal breach should make a written disclosure to the Attorney General’s Identity Theft Unit.
The Attorney General’s Office has issued warning letters to 47 companies that delayed in issuing notice of security breaches. Those included warning letters issued to 39 companies for delays in notifying both consumers and the Attorney General’s Office. Warning letters also were sent to five companies for delays in notifying the AG’s Office only and to three companies for delays in notifying consumers only, records show.
“Many companies keep vast quantities of consumers’ personal data and they are required to handle it confidentially and not carelessly. That’s not just good business practice; that’s the law,” Zoeller added.
Previous coverage of this case on this blog can be found here.