INDIANAPOLIS (Legal Newsline) - Indiana Attorney General Greg Zoeller announced Tuesday that his office has reached a settlement with a health insurer that will pay the state $100,000.
In a suit against WellPoint Inc. on October 29, Zoeller alleged that the company had violated the Indiana Disclosure of Security Breach Act when the personal information of thousands of customers was potentially available via the Internet. The lawsuit was filed under a new data-breach notification law passed in 2009.
"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general's office and consumers promptly," Zoeller said. "Early warning helps minimize the risk that consumers will fall victim to identity theft."
The data breach occurred between Oct. 23, 2009-March 8, 2010, when the records of 32,051 people in Indiana were potentially accessible through the allegedly unsecured application tracker website that was operated by companies owned by or affiliated with WellPoint for potentially anyone to see. A consumer notified the site on February 22, 2010 and again on March 8, 2010, prompting the company to secure the site.
Although the company was required by law to notify both consumers and Zoeller's office simultaneously, WellPoint only notified of the breach starting June 18, 2010. Zoeller's office contacted WellPoint on July 30, 2010 after learning of the breach through news reports.
House Enrolled Act 1121-2009, requires that companies experiencing a data breach must notify both consumers and the attorney general "without reasonable delay," since prompt notice gives consumers an opportunity to take precautions against identity theft.
"The requirement to notify the Attorney General 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper," Zoeller said.
As part of the agreement, WellPoint has agreed to pay a settlement of $100,000 to the state that Zoeller's office can use in the Consumer Assistance Fund, providing restitution to certain consumers who were defrauded; to comply with the Indiana Code 24-4.9, the Disclosure of Security Breach Act; to admit that it had a security breach and failed to notify Zoeller's office properly as required by law; to provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach; and to provide reimbursement to any WellPoint consumer up to $50,000 for any losses resulting from identity theft due to the breach.
The settlement agreement was filed in court June 23. Zoeller's office has issued warning letters to 47 companies that delayed in issuing notice of security breaches.
"Many companies keep vast quantities of consumers' personal data and they are required to handle it confidentially and not carelessly," Zoeller said. "That's not just good business practice; that's the law."