Health insurer WellPoint Inc. will pay $100,000 and take other steps after admitting it waited months to notify 32,000 Indiana customers that their Social Security numbers, health records and other personal information might have been exposed online, Indiana Attorney General Greg Zoeller said Tuesday.
The Indianapolis-based parent of Anthem Blue Cross and Blue Shield also agreed to provide up to two years of credit monitoring and identity-theft protection to 32,000 affected Indiana consumers and reimburse them up to $50,000 each for any breach-related losses under the agreement filed last week in Marion Superior Court in Indianapolis, Zoeller said.
Zoeller said a consumer notified WellPoint on Feb. 22 and March 8, 2010, that records containing personal information were potentially accessible. WellPoint immediately secured the site then, but didn't notify customers for three months, violating an Indiana law that requires companies that experience data breaches to notify both their consumers and the attorney general "without unreasonable delay."
"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft," Zoeller said.
WellPoint in June 2010 notified 470,000 customers nationwide of the 137-day security breach that occurred between October 2009 and March 2010. It said then that the problem stemmed from an online program customers could use to track the progress of their applications for coverage.
Zoeller said 645,000 customers eventually were notified of the breach.
The company issued a statement Tuesday saying it has implemented security changes to prevent further breaches from occurring.
"We have received no indication that any information that may have been accessed has been used inappropriately," the statement said.
WellPoint spokeswoman Gene Rodriguez, asked if the company had settled with consumers in any other states, replied, "We are in the process of resolving all issues related to the breach." The company runs Blue Cross Blue Shield plans in 14 states and Unicare plans in several others.
Three years ago, WellPoint offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor's office.