PhotoWellPoint, Inc., a major health insurance company, will pay the State of Indiana $100,000 to resolve charges stemming from a data breach. During the security lapse, the personal information of thousands of WellPoint customers was potentially accessible via the Internet.

"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft," said Indiana Attorney General Greg Zoeller.

The WellPoint data breach occurred when applications for individual insurance policies submitted to WellPoint - containing social security numbers, financial information and health records - were potentially accessible through an unsecured web site from October 23, 2009, to March 8, 2010. The records of 32,051 people in Indiana were potentially accessible through the online application tracker website operated by companies owned by or affiliated with WellPoint for potentially anyone to see.

Alert consumer

WellPoint was notified by a consumer on February 22, 2010 and again two weeks later, at which time the company secured the site. WellPoint began informing consumers of the data breach the following June, but ran afoul of the law when it failed to also notify Zoeller's office.

A law passed in 2009 requires companies that experience data breaches must notify both their consumers and the Attorney General "without unreasonable delay." Prompt notice allows consumers to take precautions to mitigate the risk of identity theft. However, Zoeller said he learned of the data breach from news reports.

"The requirement to notify the Attorney General 'without unreasonable delay' is not fulfilled by having me read about the breach in the newspaper," Zoeller noted.

Exposed for 137 days

During the breach, consumers' private data was accessible online for approximately 137 days, and one consumer lodged a complaint about possible identity theft as a result of it. Approximately 645,000 consumers nationwide eventually were notified about the breach.

To resolve the litigation and end the lawsuit, WellPoint has agreed to do the following:

  • Pay a settlement of $100,000 to the State that the Attorney General's Office can use in the Consumer Assistance Fund, which provides restitution to certain consumers who were defrauded and provided assistance in investigations of the fraud. 
  • Agree to comply with the Indiana Code 24-4.9, the Disclosure of Security Breach Act. 
  • Admit that WellPoint had a security breach and failed to properly notify the Attorney General's Office as required by law.
  • Provide up to two years of credit monitoring and identity-theft protection services to Indiana consumers affected by the breach. 
  • Provide reimbursement to any WellPoint consumer of up to $50,000 for any losses that result from identity theft due to the breach.