Indiana sues WellPoint over delayed breach notification
The Indychannel reports:
The attorney general’s office is suing health insurance giant WellPoint Inc. for $300,000 for waiting months to notify customers that their medical records, credit card numbers and other sensitive information may have been exposed online.
The lawsuit filed Friday in Marion County accuses WellPoint of violating a state law that requires businesses to provide notification of data breaches in a timely manner.
State officials said the personal records were exposed for at least 137 days between last October and March. The suit alleges WellPoint learned of the problem Feb. 22 but didn’t start notifying customers until June. WellPoint has said 470,000 individual insurance customers might have been affected.
In a statement Friday, the company said it has worked extensively to ensure customers were not victimized. “Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members’ and applicants’ personal information, in accordance with all applicable laws and regulations,” said spokesman Tony Felts. “As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again.”
The U.S. Dept. of Health and Human Services breach reporting site indicates that on August 6, 2010, WellPoint reported a hacking/IT incident that occurred on Nov 3, 2009. That may be this incident, but WellPoint report that it affected 31,700 individuals and it’s not clear why these numbers differ from either the 470k figure or the 940 figure they had released.
Some background on this breach can be found here, here, and here. In July, Connecticut Attorney General Blumenhal also opened an investigation into the incident. I had commented on WellPoint’s statements about the breach on DataBreaches.net here and here in June.
Note that since HIPAA went into effect in 1996, HHS has not issued a single fine for violation of the Privacy Rule. Whether HHS is still investigating WellPoint over this breach is unknown to me at this point, but I’ll try to file another FOIA request to find out if they closed their investigation.
Cross-posted from PHIprivacy.net
Update: One sentence that was inaccurate was subsequently deleted.