Healthcare Innovators

Indiana's attorney general office has filed suit against health insurer Wellpoint for delaying notification of customers of a data breach earlier this year.

Indiana law requires businesses to notify individuals potentially affected by data breaches, as well as the attorney general's office "without reasonable delay," according to a statement by Indiana AG Greg Zoeller's office.

However, the AG office alleges that data, including social security numbers, health records, and financial information for about 32,000 Indiana consumers were potentially available to the general public through an unsecured Wellpoint website for about 137 days, between October 2009 and March 2010. The data was submitted to Wellpoint from applicants seeking insurance coverage.

The AG office alleges that while Wellpoint was notified on February 22 and March 8 of this year that application records containing personal information was accessible from its public website, Wellpoint didn't begin notifying individuals about the security breach until June 18, 2010. Wellpoint did not respond to an inquiry from the AG about news reports regarding the breach until July 30, according to the AG office.

Indiana is seeking $300,000 in civil fines from Wellpoint for the alleged "unreasonable delay" in notifying individuals and the AG's office, according to the AG's statement. The AG's office said it has not received any consumer complaints about identity theft related to the data leak.

"While most inadvertent security breaches do not result in fraud, notifying those affected in a timely manner significantly reduces the risk of identity theft," said the AG office in its statement. "Situations involving the theft of personal information for the purposes of identity theft most often result in some form of fraud occurring within seven to 10 days," said the AG office.

In a statement from Wellpoint sent to InformationWeek in response to seeking comment, the company said, "Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members' and applicants' personal information, in accordance with all applicable laws and regulations."

Anthem Blue Cross and Blue Shield is Wellpoint's operations serving several states, including Indiana, Colorado, Connecticut and Maine.

"As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again," said Wellpoint's statement.

"We have worked since discovery of this matter to analyze the data in an effort to identify all individuals whose information may have been impacted," Wellpoint said.

"We made an effort to communicate directly to each of the applicants who were potentially affected. This communication occurred when our extensive analysis was complete."

Finally, "though the majority of individuals who submitted applications were not impacted by the incident, out of an abundance of caution, each applicant received a detailed notification from Anthem Blue Cross and Blue Shield explaining what happened, and was offered identity protection services for one year at no cost."