Indianapolis-based health insurer WellPoint will pay $100,000 to settle a data breach that exposed the personal information of 32,000 Indiana customers.
The settlement, filed on June 23 and announced this week, resolves a lawsuit with Indiana Attorney General Greg Zoeller contending that WellPoint violated a state law, which requires businesses that experience data breaches to notify victims and the attorney general “without reasonable delay.”
WellPoint, the parent company of Anthem Blue Cross and Blue Shield, has agreed, as part of the settlement, to provide two years of credit monitoring and identity theft protection services to Indiana customers affected by the breach, Zoeller said. The health insurer will also reimburse those affected up to $50,000 for identity theft losses due to the exposure.
During the breach, personal information – including Social Security numbers, financial information and health records – was available to the public through an unsecured website for at least 137 days, between October 2009 and March 2010.
WellPoint discovered the lapse on Feb. 22, 2010, and began notifying affected customers four months later, on June 18. The health insurer failed to simultaneously notify the Attorney General's Office, as required by law. Zoeller's office found out about the exposure through media reports.
“The requirement to notify the Attorney General 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper," Zoeller said in a statement Tuesday.
The impact of the exposure, which stemmed from a faulty website upgrade, extended well beyond Indiana. Approximately 645,000 customers nationwide have been notified about the breach, Zoeller said.In a statement sent to SCMagazineUS.com on Tuesday, WellPoint did not address the settlement, but said the company is committed to protecting the privacy and security of applicants' personal data.
"We have implemented IT security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately," the statement said.