Indiana Attorney General Greg Zoeller has filed a lawsuit against insurance company WellPoint for delaying notification of a data breach to the AG's office and to the more than 32,000 customers in Indiana affected.
The suit claims that WellPoint violated two Indiana notification laws with each one carrying a penalty of up to $150,000 in fines, according to Molly Butters, a spokesperson for Zoeller's office.
"Effective July 2009, there's a new law that requires database owners to notify those two groups within a reasonable period of time," Butters said, referring to House Enrolled Act 1121. "After our investigation, we determined that WellPoint did not notify either their customers or our office in a reasonable period based on the information that we uncovered and is in the complaint," she told CIO Insight sister publication eWEEK.
Since the law is new, this is the first time the Indiana AG office has filed a data breach complaint, Butters said.
WellPoint became aware of the breach on March 8, and Zoeller's office found out about the breach in an Indianapolis Star report in June, according to Butters. WellPoint began notifying customers on June 18.
WellPoint was upgrading an authentication and log-in application on the company's application Web site, in SiteMinder, when it failed to implement security protections. A potential identity thief would be able to alter a URL to view applicants' personal information. The data were publicly accessible through an unsecured Web site from October 2009 to March 2010, according to the Indiana AG office.
In addition to Indiana, the breach exposed the information for applicants in nine other states: California, Colorado, Connecticut, Kentucky, Missouri, Nevada, New Hampshire, Ohio and Wisconsin. About 470,000 WellPoint customers may have been affected overall, according to the insurer.
For more, read the eWeek article Data Breach Prompts Indiana to Sue Health Insurer WellPoint.