Health insurer WellPoint will pay a $100,000 fine and offer data breach-related services after admitting it waited months to notify 32,000 Indiana residents that their medical information, Social Security numbers and other personal data may have been posted online, Indiana Attorney General Gregory Zoeller (R) announced on Tuesday, the AP/Google News reports (AP/Google News, 7/6).
Data Breach Details
In October 2010, Zoeller filed a lawsuit stating that personal information was available on a WellPoint website between October 2009 and March 2010. The information included:
- Personal health information;
- Names;
- Dates of birth;
- Addresses; and
- Social Security numbers (iHealthBeat, 11/2/10).
In June 2010, WellPoint notified 470,000 individuals nationwide of the data breach and said the incident stemmed from an online tool that allowed people to apply for policies.
The company eventually notified 645,000 individuals nationwide of the data breach (AP/Google News, 7/6).
The lawsuit alleged that WellPoint -- the largest health insurance company in the nation -- failed to meet state rules to alert policyholders about the breach in a timely manner. Zoeller sought civil penalties against WellPoint worth $300,000 (iHealthBeat, 11/2/10).
Settlement Details
The insurer has agreed to pay the $100,000 fine and provide up to two years of credit monitoring and identity theft protection services to affected customers.
The company also will reimburse Indiana members up to $50,000 each for any data breach-related losses, Zoeller said (AP/Google News, 7/6).
WellPoint Reaction
WellPoint spokesperson Gene Rodriguez said that the company is "committed to protecting the privacy and security" of its members' information and that it has implemented security changes to avoid a similar situation (Indy Channel, 7/5).