The Indiana attorney general’s office has filed a lawsuit against Indianapolis-based health insurance provider WellPoint for taking months to notify state residents whose personal information was breached.
The lawsuit, filed Friday, contends that WellPoint violated state law, which requires breached businesses to notify affected individuals and the attorney general’s office “without reasonable delay,” Attorney General Greg Zoeller said in a news release.
Zoeller said WellPoint learned of the breach, which affected more than 32,000 Indiana citizens, on Feb. 22, but did not begin notifying customers until almost four months later, on June 18.
After learning of the exposure through media reports, Zoeller’s office tried to contact WellPoint, receiving a response in late July.
“The delays in notice to both customers and to the attorney general’s office are considered unreasonable,” the news release states.
The state is seeking $300,000 in civil penalties.
According to Zoeller, applications for insurance policies submitted to WellPoint that contained citizen’s Social Security numbers, financial information and health records may have been available to the public through an unsecured website for at least 137 days, between October 2009 and March 2010.
WellPoint previously had disclosed that the breach was the result of a faulty website upgrade and may have affected 470,000 customers of Anthem Blue Cross, a WellPoint company.
The health insurer is facing at least one other lawsuit over the incident, a class-action complaint filed on behalf of customers whose information was breached.
In a statement sent to SCMagazineUS.com on Tuesday, WellPoint did not address the lawsuit, but said that as soon as the breach was discovered, the company made “necessary security changes” to ensure a similar incident does not occur again.
“Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members’ and applicants’ personal information, in accordance with all applicable laws and regulations,” the statement said.
Meanwhile, this is not the first time WellPoint has experienced a breach.
In 2008, it was discovered that the personal information of about 128,000 WellPoint customers from several states was publicly available on the internet. And in 2006, backup computer tapes containing the personal information of 200,000 members were stolen.