The Indiana Attorney General’s office has filed a lawsuit against Indianapolis-based WellPoint, claiming the health insurance provider didn't notify customers or the Attorney General’s office in a timely manner following a data breach earlier this year affecting more than 32,000 people.
Indiana law requires businesses to notify individuals potentially affected by a data breach, as well as the Attorney General’s office, without unreasonable delay. The notification requirement took effect in July 2009, according to a press release from the Indiana Attorney General’s office.
Between October 2009 and March of this year, an unsecured website including applications for insurance policies submitted to WellPoint containing Social Security numbers, financial information and health records was potentially available to the general public for at least 137 days, the release stated.
WellPoint was notified on Feb. 22, and again on March 8, that application records containing personal information were accessible through its public website, according to the complaint. However, WellPoint did not begin notifying customers of the security breach until June 18, and the Attorney General's office received a response to its inquiry into the matter on July 30.
“The delays in notice both to customers and to the Attorney General's office are considered unreasonable. The state is seeking $300,000 in civil penalties,” the release stated.
The office has not received any consumer complaints relating to identity theft as a result of the WellPoint data breach, according to the press release.