If you feel like you need a scorecard to keep track of lawsuits against WellPoint or settlements involving WellPoint, it’s understandable. WellPoint recently settled a lawsuit by the Indiana Attorney General’s Office over delayed notification following a breach that occurred in 2009 and continued until after a customer notified them twice in 2010.   Then they settled a class action lawsuit over an earlier breach that occurred in 2007 and 2008. Now there’s an announcement of a preliminary approval of a settlement oF a class action lawsuit based on the 2009-210 breach:

The Orange County Superior Court (the “Court”) has preliminarily approved a class action settlement in the case entitled Blue Cross of California Website Security Cases, Case No. JCCP 4647, reached with Anthem Blue Cross of California, Anthem Blue Cross Life and Health Insurance Company, The WellPoint Companies, Inc., WellPoint California Services, Inc. and WellPoint Behavioral Health, Inc. (together called “WellPoint/Anthem Blue Cross” or the “Defendants”) in a lawsuit about the potential accessibility of certain personal and financial information contained on individual health insurance applications.  The Court also approved a notice plan to advise the nationwide class of its legal rights, benefits, and options.

The lawsuit alleges that from approximately October 23, 2009, to March 10, 2010, WellPoint/Anthem Blue Cross improperly stored personal information and electronic versions of individual health insurance applications for over 600,000 customers, enrollees or subscribers on its web-based servers without username, password and encryption protections (the “Breach”). This information included personal identifying information and personal health information, such as Social Security numbers, home and office addresses, telephone numbers, credit card numbers and financial information used for premium payments, and other information people may have provided on their health insurance applications.  The lawsuit alleges that WellPoint/Anthem Blue Cross did not adequately protect this information. WellPoint/Anthem Blue Cross denies the claims in the lawsuit. The class settlement does not mean that WellPoint/Anthem Blue Cross did anything wrong.

People included in the settlement are called a “Class” or “Class Members.”  Those who receive a notice about this settlement in the mail and/or email or received a letter from WellPoint regarding this issue between June and August 2010, have been identified as a Class Member. Specifically, the Class includes everyone in the United States, including Puerto Rico, U.S. Virgin Islands and Guam (1) whose private information was on WellPoint/Anthem Blue Cross’ Affected Servers from August 15, 2008, through March 10, 2010, or (2) who received a notification letter from WellPoint/Anthem Blue Cross regarding the alleged failure of WellPoint/Anthem Blue Cross to secure their confidential personal and private information.

Notices informing Class Members about their legal rights will be mailed and emailed directly to them in the weeks leading up to the Court’s November 14, 2011 hearing, where it will consider whether to grant final approval of the settlement.

The Court has appointed Daniel Robinson, Robinson, Calcagnie & Robinson, of Newport Beach, California as Lead Settlement Class Counsel to represent the Class.

In the settlement, Class Members may be entitled to receive, in addition to other benefits, up to two (2) years of Free Debix Credit Monitoring and Identity Theft Insurance (valued at $238.80) at no cost to them (only one (1) year if a Class Member already elected to receive one (1) year of Debix coverage).  Additionally, if a Class Member is found to be a victim of identity theft or loss stemming from the Breach, such a Class Member would be entitled to receive five (5) additional years of monitoring and insurance (valued at $597.00).  Those affected by this settlement can sign up or submit a claim for certain benefits, if eligible, or they can ask to be excluded from, or object to, the settlement.  The deadline for exclusions and objections is October 24, 2011.  The earliest deadline to file claims is September 28, 2011.

A toll-free number, 1-877-527-2354, has been established in the case, along with a website,www.AnthemBlueCrossSecuritySettlement.com, where notices, claim forms, and the settlement agreement may be obtained.  Those affected may also write to WellPoint/Blue Cross Website Security Settlement Administrator, P.O. Box 6177, Novato, CA94948-6177.

Three settlements so far over two breaches. I really do wonder if WellPoint was using the same vendor as had been involved in the 2007-2008 breach. And I wonder if the Connecticut Attorney General decided not to file its own lawsuit against them for delayed notification like Indiana’s Attorney General had. Connecticut had sent a letter of inquiry, investigating, but I never saw any follow-up one way or the other.