Indiana Attorney General Gregory Zoeller (R) recently filed a lawsuit against health insurer WellPoint regarding a breach of customer information affecting more than 32,000 individuals, Modern Healthcare reports.
The suit alleges that WellPoint -- the largest health insurance company in the nation -- failed to meet state rules to alert policyholders about the breach in a timely manner (Conn, Modern Healthcare, 11/1).
The lawsuit states that personal information was available on a WellPoint website between October 2009 and March 2010. The information included:
- Personal health information;
- Dates of birth;
- Addresses; and
- Social Security numbers (Goedert, Health Data Management, 11/1).
Molly Butters -- public information officer from the attorney general's consumer protection division -- said that on Feb. 22, a woman who was applying for insurance for her son notified WellPoint that her son's information was accessible online.
The attorney general said that although the insurer unsuccessfully tried to contact the woman, WellPoint did not investigate her claim any further (Modern Healthcare, 11/1).
On March 8, the woman filed a class-action complaint on behalf of herself and others who were affected by the breach.
Within 12 hours of receiving the class-action suit, WellPoint took steps to correct the breach, according to the insurer (Health Data Management, 11/1).
Cindy Sanders -- WellPoint's regional director of public relations -- said, "As soon as the situation was discovered, we made the necessary security changes to prevent it from happening again."
The attorney general's complaint against the insurer claims that WellPoint did not tell customers about the breach until June 18.
Though state law does not mention a specific deadline to notify customers of a breach after learning of the incident, the law does state that the notification must be given "without unreasonable delay" (Modern Healthcare, 11/1).
Indiana is seeking civil penalties against WellPoint worth $300,000 (Health Data Management, 11/1).