On July 5, 2011, Indiana Attorney General Greg Zoeller announced a settlement with health insurer WellPoint, Inc. The settlement resolves allegations that the company failed to promptly notify the Attorney General’s office of a data breach as is required by the Indiana Disclosure of Security Breach Act. As part of the settlement, WellPoint will pay a fine of $100,000 and provide certain identity-theft-prevention assistance to consumers affected by the breach. Interestingly, the settlement includes an admission by WellPoint that the company failed to comply with the law by not notifying Zoeller’s office “without unreasonable delay.”
The data breach out of which the Attorney General’s investigation, lawsuit, and ultimate settlement arose occurred between October 2009 and March 2010. During that time, personal information submitted in connection with applications for individual insurance policies was made publicly accessible via the company’s online application tracker website. The exposed information included Social Security numbers, financial account information, and health records. WellPoint immediately secured the application tracker site in early March 2010 after being told by a consumer, a second time, that records containing personal information were potentially accessible on the site.
WellPoint notified affected consumers of the breach beginning in June 2010, but did not also notify the Attorney General’s office as required by Indiana law. When Zoeller’s office learned of the breach through news reports in late July, it launched an investigation and in October filed suit against the company seeking an injunction and civil penalties for violations of the Indiana Disclosure of Security Breach Act. The parties’ recent settlement makes the Attorney General’s lawsuit disappear, but not without significant costs to WellPoint. The settlement mandates that WellPoint pay $100,000 into the Attorney General’s Consumer Assistance Fund; comply with the Disclosure of Security Breach Act in the future and admit that it failed to do so in this instance; provide affected consumers with up to two years of credit monitoring; and reimburse affected consumers up to $50,000 for any losses that result from identity theft stemming from the breach.
Although WellPoint is currently the public face of improper breach notification in Indiana, it is apparently not alone. Attorney General Zoeller’s office has issued warning letters to 47 other companies that delayed issuing appropriate security breach notifications. Perhaps it should go without saying, but according to Zoeller, “[t]he requirement to notify the Attorney General ‘without unreasonable delay’ is not fulfilled by having me read about the breach in the newspaper.” Sounds simple enough, but are you faster than the reporters? We certainly hope so.