November 02, 2010

Indiana attorney general sues WellPoint over breach

The Indiana attorney general's office has filed a lawsuit against Indianapolis-based health insurance provider WellPoint for taking months to notify state residents whose personal information was breached.

The lawsuit, filed Friday, contends that WellPoint violated state law, which requires breached businesses to notify affected individuals and the attorney general's office “without reasonable delay,” Attorney General Greg Zoeller said in a news release.

Zoeller said WellPoint learned of the breach, which affected more than 32,000 Indiana citizens, on Feb. 22, but did not begin notifying customers until almost four months later, on June 18.

After learning of the exposure through media reports, Zoeller's office tried to contact WellPoint, receiving a response in late July.

“The delays in notice to both customers and to the attorney general's office are considered unreasonable,” the news release states.

The state is seeking $300,000 in civil penalties.

According to Zoeller, applications for insurance policies submitted to WellPoint that contained citizen's Social Security numbers, financial information and health records may have been available to the public through an unsecured website for at least 137 days, between October 2009 and March 2010.

WellPoint previously had disclosed that the breach was the result of a faulty website upgrade and may have affected 470,000 customers of Anthem Blue Cross, a WellPoint company.

The health insurer is facing at least one other lawsuit over the incident, a class-action complaint filed on behalf of customers whose information was breached.

In a statement sent to SCMagazineUS.com on Tuesday, WellPoint did not address the lawsuit, but said that as soon as the breach was discovered, the company made “necessary security changes” to ensure a similar incident does not occur again.

“Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations,” the statement said.

Meanwhile, this is not the first time WellPoint has experienced a breach.

In 2008, it was discovered that the personal information of about 128,000 WellPoint customers from several states was publicly available on the internet. And in 2006, backup computer tapes containing the personal information of 200,000 members were stolen.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.